ZAP Scanning Report

Summary of Alerts

Risk LevelNumber of Alerts
High5
Medium73
Low447
Informational0

Alert Detail

High (Medium)Cross Site Scripting (Reflected)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URL

https://trello.com/login/sso?returnUrl=javascript%3Aalert%281%29%3B

    Method

GET

    Parameter

returnUrl

    Attack

javascript:alert(1);

    Evidence

javascript:alert(1);

Instances

1

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id

79

WASC Id

8

Source ID

1

High (Medium)SQL Injection

Description

SQL injection may be possible.

URL

https://trello.com/1/authentication

    Method

POST

    Parameter

factors[password]

    Attack

Zx10fxdl AND 1=1 --

Instances

1

Solution

Do not trust client side input, even if there is client side validation in place.

In general, type check all data on the server side.

If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

If database Stored Procedures can be used, use them.

Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

Do not create dynamic SQL queries using simple string concatenation.

Escape all data received from the client.

Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.

Apply the principle of least privilege by using the least privileged database user possible.

In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

Grant the minimum database access that is necessary for the application.

Other information

The page results were successfully manipulated using the boolean conditions [Zx10fxdl AND 1=1 -- ] and [Zx10fxdl AND 1=2 -- ]

The parameter value being modified was NOT stripped from the HTML output for the purposes of the comparison

Data was returned for the original parameter.

The vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter

Reference

https://www.owasp.org/index.php/Top_10_2010-A1

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

CWE Id

89

WASC Id

19

Source ID

1

High (Medium)Remote OS Command Injection

Description

Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs.

URL

https://trello.com/c/4hRX2szd?query=query%26sleep+15%26

    Method

GET

    Parameter

query

    Attack

query&sleep 15&

Instances

1

Solution

If at all possible, use library calls rather than external processes to recreate the desired functionality.

Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by your software.

OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows you to specify restrictions on file operations.

This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.

For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the command locally in the session's state instead of sending it out to the client in a hidden form field.

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

For example, consider using the ESAPI Encoding control or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.

If you need to use dynamically-generated query strings or commands in spite of the risk, properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection.

If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

When constructing OS command strings, use stringent whitelists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping.

Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like ";" and ">" characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components.

Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.

Reference

http://cwe.mitre.org/data/definitions/78.html

https://www.owasp.org/index.php/Command_Injection

CWE Id

78

WASC Id

31

Source ID

1

High (Medium)SQL Injection - Authentication Bypass

Description

SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed

URL

https://trello.com/1/authentication

    Method

POST

    Parameter

factors[password]

    Attack

Zx10fxdl AND 1=1 --

Instances

1

Solution

Do not trust client side input, even if there is client side validation in place.

In general, type check all data on the server side.

If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

If database Stored Procedures can be used, use them.

Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

Do not create dynamic SQL queries using simple string concatenation.

Escape all data received from the client.

Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.

Apply the principle of least privilege by using the least privileged database user possible.

In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

Grant the minimum database access that is necessary for the application.

Reference

https://www.owasp.org/index.php/Top_10_2010-A1

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

CWE Id

89

WASC Id

19

Source ID

1

High (Medium)Remote File Inclusion

Description

Remote File Include (RFI) is an attack technique used to exploit "dynamic file include" mechanisms in web applications. When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code.

Almost all web application frameworks support file inclusion. File inclusion is mainly used for packaging common code into separate files that are later referenced by main application modules. When a web application references an include file, the code in this file may be executed implicitly or explicitly by calling specific procedures. If the choice of module to load is based on elements from the HTTP request, the web application might be vulnerable to RFI.

An attacker can use RFI for:

* Running malicious code on the server: any code in the included malicious files will be run by the server. If the file include is not executed using some wrapper, code in include files is executed in the context of the server user. This could lead to a complete system compromise.

* Running malicious code on clients: the attacker's malicious code can manipulate the content of the response sent to the client. The attacker can embed malicious code in the response that will be run by the client (for example, Javascript to steal the client session cookies).

PHP is particularly vulnerable to RFI attacks due to the extensive use of "file includes" in PHP programming and due to default server configurations that increase susceptibility to an RFI attack.

URL

https://trello.com/associate/?query=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3DOWASP%2520ZAP

    Method

GET

    Parameter

query

    Attack

http://www.google.com/search?q=OWASP%20ZAP

    Evidence

<title>Use Your Google Account</title>

Instances

1

Solution

Phase: Architecture and Design

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.

Phases: Architecture and Design; Operation

Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by your software.

OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows you to specify restrictions on file operations.

This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.

Be careful to avoid CWE-243 and other weaknesses related to jails.

For PHP, the interpreter offers restrictions such as open basedir or safe mode which can make it more difficult for an attacker to escape out of the application. Also consider Suhosin, a hardened PHP extension, which includes various options that disable some of the more dangerous PHP features.

Phase: Implementation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

For filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434.

Phases: Architecture and Design; Operation

Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately.

This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce your attack surface.

Phases: Architecture and Design; Implementation

Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.

Many file inclusion problems occur because the programmer assumed that certain inputs could not be modified, especially for cookies and URL components.

Reference

http://projects.webappsec.org/Remote-File-Inclusion

http://cwe.mitre.org/data/definitions/98.html

CWE Id

98

WASC Id

5

Source ID

1

Medium (High)Session ID in URL Rewrite

Description

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170622.12_p0&gsessionid=5jGyt61Y5mBRo6KtryXXZRQUgv-M4lc0&VER=8&SID=9100291EBCC7BADD&RID=20717&AID=1&zx=w76is1y36sqw&t=1

    Method

POST

    Parameter

SID

    Evidence

9100291EBCC7BADD

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170622.12_p0&gsessionid=i9jqMEzp2xz0rqIe-f9KCUQiqiJgZKaC&VER=8&RID=rpc&SID=7BBBD2A5522F9241&CI=1&AID=0&TYPE=xmlhttp&zx=zazj0pfaolrn&t=1

    Method

GET

    Parameter

SID

    Evidence

7BBBD2A5522F9241

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170622.12_p0&gsessionid=vAHHxA7dX2Er4QSQba9udnTUlFBIJMZh&VER=8&RID=rpc&SID=5B71834F84192D0C&CI=1&AID=0&TYPE=xmlhttp&zx=l6w5sipnpsx7&t=1

    Method

GET

    Parameter

SID

    Evidence

5B71834F84192D0C

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170622.12_p0&gsessionid=_Z_zcU0KEaJaWtXpj4lwcqpy7cbxsDf1&VER=8&SID=48309168D5A22575&RID=31019&AID=1&zx=6z13qkzdl19&t=1

    Method

POST

    Parameter

SID

    Evidence

48309168D5A22575

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=3vvGL-j-BIxkkLlNpkVP7UfF2ESYViXo&VER=8&SID=81E0A9BB3E0D5AEE&RID=30402&AID=1&zx=3y5lae7e9y31&t=1

    Method

POST

    Parameter

SID

    Evidence

81E0A9BB3E0D5AEE

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=JsAi6j00p1sIcnY1wyjAhX5BE3-FMw4j&VER=8&SID=257140B2064C06B8&RID=13660&AID=1&zx=ss79xfi7nhih&t=1

    Method

POST

    Parameter

SID

    Evidence

257140B2064C06B8

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170622.12_p0&gsessionid=Jst1nX_noM57V9IvZvsuLL9AUM0uAZdj&VER=8&SID=26DFAA2F8CFC05F6&RID=86449&AID=0&zx=ulhjw213uhb6&t=1

    Method

POST

    Parameter

SID

    Evidence

26DFAA2F8CFC05F6

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170622.12_p0&gsessionid=kI3GE36-bA01eSUjpTtfIUm4dAUs3br4&VER=8&SID=41B3366E54DBEB2F&RID=46555&AID=1&zx=9wjd91iv3sek&t=1

    Method

POST

    Parameter

SID

    Evidence

41B3366E54DBEB2F

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=oaZGQ7VJ5wMteqBzTz0VXqcu28qqdAzz&VER=8&SID=65734A5044C151E7&RID=2462&AID=0&zx=gzw16kvt8xpb&t=1

    Method

POST

    Parameter

SID

    Evidence

65734A5044C151E7

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=Oo2Jvd4lelJgcP3O-as3yaOpieHkZnj3&VER=8&RID=rpc&SID=1D69DB61E4307681&CI=1&AID=1&TYPE=xmlhttp&zx=9q23htar4k0w&t=1

    Method

GET

    Parameter

SID

    Evidence

1D69DB61E4307681

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170622.12_p0&gsessionid=6nTyvM5nxgWWKz8K64S0-I-R2dMdEuue&VER=8&RID=rpc&SID=188282103B7C3573&CI=1&AID=1&TYPE=xmlhttp&zx=1lv1cto8ni4o&t=1

    Method

GET

    Parameter

SID

    Evidence

188282103B7C3573

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170622.12_p0&gsessionid=87ebc_y4Z8toMlEwVkZ7koFAYrDjCopF&VER=8&RID=rpc&SID=446BE808160AC666&CI=1&AID=3&TYPE=xmlhttp&zx=6njil7nqtt3h&t=1

    Method

GET

    Parameter

SID

    Evidence

446BE808160AC666

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=uk2m7X3X-xtiFkOu0hDV3v_M6vgPGZ9c&VER=8&RID=rpc&SID=868DB273262B3526&CI=1&AID=0&TYPE=xmlhttp&zx=no028nu9nxke&t=1

    Method

GET

    Parameter

SID

    Evidence

868DB273262B3526

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170622.12_p0&gsessionid=nqPlgAD1CcuVbVS5EpJz09jDHR1BluQd&VER=8&RID=rpc&SID=3BE6EABE3AF8B639&CI=1&AID=0&TYPE=xmlhttp&zx=x7mqxid00cb0&t=1

    Method

GET

    Parameter

SID

    Evidence

3BE6EABE3AF8B639

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=CYAPxpJ0jpz1cxk3gea1PFDcXRHZ96GE&VER=8&RID=rpc&SID=9B95DF5D43BDCB09&CI=1&AID=1&TYPE=xmlhttp&zx=aeou9s9mmeio&t=1

    Method

GET

    Parameter

SID

    Evidence

9B95DF5D43BDCB09

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170622.12_p0&gsessionid=7KdntTD6U3Zc7yNPpP7Xdpk0McIju7pq&VER=8&SID=ED3F6D3AD5C80CC9&RID=817&AID=3&zx=ms7ezvbfvh73&t=1

    Method

POST

    Parameter

SID

    Evidence

ED3F6D3AD5C80CC9

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170622.12_p0&gsessionid=Eq8TvSPcyfKboQLPO9TC_5QvvByyXPT5&VER=8&SID=3139848AF4D9EBB4&RID=19694&AID=0&zx=hk4u8c7czgyz&t=1

    Method

POST

    Parameter

SID

    Evidence

3139848AF4D9EBB4

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=Oo2Jvd4lelJgcP3O-as3yaOpieHkZnj3&VER=8&SID=D0CBC0F453F3249&RID=69602&AID=1&zx=ak751qr2cw6e&t=1

    Method

POST

    Parameter

SID

    Evidence

D0CBC0F453F3249

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170622.12_p0&gsessionid=JN9DagWI61acZQ-DPqaldQ6w8AZIDkOv&VER=8&RID=rpc&SID=AC045E1D1671A902&CI=1&AID=0&TYPE=xmlhttp&zx=tdziutyfmw9v&t=1

    Method

GET

    Parameter

SID

    Evidence

AC045E1D1671A902

URL

https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=Sac0TspixMw5zqVhvD4eS0RcbQTyxmAb&VER=8&SID=B30927C3F7AF856D&RID=97432&AID=0&zx=3dxrfwyw8aui&t=1

    Method

POST

    Parameter

SID

    Evidence

B30927C3F7AF856D

Instances

1119

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (High)Session ID in URL Rewrite

Description

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL

https://0.docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/bind?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=1498853173111&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&RID=rpc&SID=FEF68874CB2DACFF&CI=1&AID=1&TYPE=xmlhttp&zx=i3kf9pjf38i5&t=3

    Method

OPTIONS

    Parameter

sid

    Evidence

c7ee7541bf56334

URL

https://0.docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/bind?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=1498853173111&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&RID=rpc&SID=FEF68874CB2DACFF&CI=1&AID=1&TYPE=xmlhttp&zx=kszm5gs3syhw&t=1

    Method

OPTIONS

    Parameter

sid

    Evidence

c7ee7541bf56334

URL

https://0.docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/bind?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=1498853173111&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&RID=rpc&SID=FEF68874CB2DACFF&CI=1&AID=1&TYPE=xmlhttp&zx=kszm5gs3syhw&t=1

    Method

OPTIONS

    Parameter

SID

    Evidence

FEF68874CB2DACFF

URL

https://0.docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/bind?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=1498853173111&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&RID=rpc&SID=FEF68874CB2DACFF&CI=1&AID=1&TYPE=xmlhttp&zx=7iypqbvmhdof&t=2

    Method

OPTIONS

    Parameter

sid

    Evidence

c7ee7541bf56334

URL

https://0.docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/test?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=-1&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&TYPE=xmlhttp&zx=8zsfiuw5ot0n&t=1

    Method

GET

    Parameter

sid

    Evidence

c7ee7541bf56334

URL

https://0.docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/bind?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=1498853173111&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&RID=rpc&SID=FEF68874CB2DACFF&CI=1&AID=1&TYPE=xmlhttp&zx=i3kf9pjf38i5&t=3

    Method

OPTIONS

    Parameter

SID

    Evidence

FEF68874CB2DACFF

URL

https://0.docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/test?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=-1&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&TYPE=xmlhttp&zx=8zsfiuw5ot0n&t=1

    Method

OPTIONS

    Parameter

sid

    Evidence

c7ee7541bf56334

URL

https://0.docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/bind?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=1498853173111&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&RID=rpc&SID=FEF68874CB2DACFF&CI=1&AID=1&TYPE=xmlhttp&zx=7iypqbvmhdof&t=2

    Method

OPTIONS

    Parameter

SID

    Evidence

FEF68874CB2DACFF

Instances

8

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (High)Session ID in URL Rewrite

Description

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL

https://1.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170626.09_p0&gsessionid=LjmM542zHeOoe_HRwCV3sE7vtsOBWutq&VER=8&RID=rpc&SID=5167A445916DE4D9&CI=1&AID=3&TYPE=xmlhttp&zx=2cem9mk0q9fx&t=1

    Method

GET

    Parameter

SID

    Evidence

5167A445916DE4D9

URL

https://1.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=_7ovc8V9m1QnxcHLHmp2sEmAopsh6OJV&VER=8&SID=32AC8B5F9FB48A28&RID=24144&AID=0&zx=hrfn9v27nodt&t=1

    Method

POST

    Parameter

SID

    Evidence

32AC8B5F9FB48A28

URL

https://1.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170626.09_p0&gsessionid=4Sy6rs3JO0Rr5Cdltdmnk8dODTskkFfD&VER=8&SID=D6DE14E98713EA96&RID=36422&AID=0&zx=4hapbpo1zpel&t=1

    Method

POST

    Parameter

SID

    Evidence

D6DE14E98713EA96

URL

https://1.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=7EMy1FbMEzBaC7j_oZ_0FPdlzCk4DD1J&VER=8&RID=rpc&SID=6012C945022FD49A&CI=1&AID=0&TYPE=xmlhttp&zx=8f6y9290bt2i&t=1

    Method

GET

    Parameter

SID

    Evidence

6012C945022FD49A

URL

https://1.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170626.09_p0&gsessionid=8CnqG-F0zymwtl5xS0NjXxBiry584Hah&VER=8&SID=356A322F2C666F8E&RID=62099&AID=1&zx=fzf6mqsv7sb7&t=1

    Method

POST

    Parameter

SID

    Evidence

356A322F2C666F8E

URL

https://1.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=6jsg5tF5l7DGKTmSpQfJ-6RRL_HAP3K3&VER=8&RID=rpc&SID=52631611D6AF8ED8&CI=1&AID=1&TYPE=xmlhttp&zx=nzuxfir3utaa&t=1

    Method

GET

    Parameter

SID

    Evidence

52631611D6AF8ED8

URL

https://1.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=7CAutQWMlpWYCAkfBqaXxqVPEdKRPlDd&VER=8&RID=rpc&SID=15C253C3289E2AEE&CI=1&AID=3&TYPE=xmlhttp&zx=u5bc35uvnrmp&t=1

    Method

GET

    Parameter

SID

    Evidence

15C253C3289E2AEE

URL

https://1.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=rxRiSo1xScvHTp3eVZecMPabrHt9x5bq&VER=8&SID=CAFC9F2D49327D80&RID=34216&AID=1&zx=ic4c7ktaasad&t=1

    Method

POST

    Parameter

SID

    Evidence

CAFC9F2D49327D80

URL

https://1.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170626.09_p0&gsessionid=aPcku-4WnR4dMbn2N40kq9L64EEGN5UC&VER=8&RID=rpc&SID=53E057D704DD75D3&CI=1&AID=1&TYPE=xmlhttp&zx=8dmi1vmpwota&t=1

    Method

GET

    Parameter

SID

    Evidence

53E057D704DD75D3

URL

https://1.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170626.09_p0&gsessionid=T_g7TWWfXERIPceJIq2i9J6VqxRc5RSA&VER=8&SID=2C962437258F55B7&RID=29291&AID=0&zx=rhucx4heg4w5&t=1

    Method

POST

    Parameter

SID

    Evidence

2C962437258F55B7

URL

https://1.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=7CAutQWMlpWYCAkfBqaXxqVPEdKRPlDd&VER=8&SID=63503CAA54C27575&RID=58943&AID=1&zx=nkwuh08fp60e&t=1

    Method

POST

    Parameter

SID

    Evidence

63503CAA54C27575

URL

https://1.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170626.09_p0&gsessionid=YAbS2cBNPyB80f_6FK3HT63RXHOsIJ2s&VER=8&RID=rpc&SID=E9746C3DA530A36B&CI=1&AID=1&TYPE=xmlhttp&zx=d2c4fh8x6nqh&t=1

    Method

GET

    Parameter

SID

    Evidence

E9746C3DA530A36B

URL

https://1.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170626.09_p0&gsessionid=T_g7TWWfXERIPceJIq2i9J6VqxRc5RSA&VER=8&SID=F1920CEF34D081BE&RID=85094&AID=0&zx=tbszerwq54x4&t=1

    Method

POST

    Parameter

SID

    Evidence

F1920CEF34D081BE

URL

https://1.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170626.09_p0&gsessionid=3qowv0SOwTRubzcGAsljMOz8Qaj7zgfs&VER=8&RID=rpc&SID=C1284E5E84B425B2&CI=1&AID=4&TYPE=xmlhttp&zx=61melxqsreej&t=1

    Method

GET

    Parameter

SID

    Evidence

C1284E5E84B425B2

URL

https://1.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=sFJpO00GTWn7AbT8YUHZPYpeB-Nhy1i-&VER=8&RID=rpc&SID=FDFC7A7494475B9E&CI=1&AID=3&TYPE=xmlhttp&zx=kfuq65e15lvs&t=1

    Method

GET

    Parameter

SID

    Evidence

FDFC7A7494475B9E

URL

https://1.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=naIpEbhTziq7cSbhSlhQk9oe6QL0uRt_&VER=8&RID=rpc&SID=7A5F95E63E679941&CI=1&AID=0&TYPE=xmlhttp&zx=w467rdmqlc3t&t=1

    Method

GET

    Parameter

SID

    Evidence

7A5F95E63E679941

URL

https://1.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=smuPaVwqOeH2Xyz7DoPgIX1_-KYxvg5G&VER=8&RID=rpc&SID=960571D8D26B63F4&CI=1&AID=1&TYPE=xmlhttp&zx=rnj6dogn547z&t=1

    Method

GET

    Parameter

SID

    Evidence

960571D8D26B63F4

URL

https://1.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=9-5fg63H8ZCs9CHUOm3DQd1OuRxb8I98&VER=8&SID=9FBC8509E56264E7&RID=41916&AID=1&zx=j17fb77erx1j&t=1

    Method

POST

    Parameter

SID

    Evidence

9FBC8509E56264E7

URL

https://1.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=hangouts&prop=gmail&appver=chat_frontend_20170626.09_p0&gsessionid=il9aKohX0y9m5ZybnpW_mFzFV6aDHK5N&VER=8&RID=rpc&SID=12DEE97FBA8B0FE1&CI=1&AID=1&TYPE=xmlhttp&zx=1vto4v2fjyqh&t=1

    Method

GET

    Parameter

SID

    Evidence

12DEE97FBA8B0FE1

URL

https://1.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=StartPage&appver=chat_frontend_20170626.09_p0&gsessionid=lQetO2jU-4QvEvOMg6YnGU_k8zH7XgXb&VER=8&RID=rpc&SID=CE2731DAAC00E750&CI=1&AID=0&TYPE=xmlhttp&zx=vnspty96j3kw&t=1

    Method

GET

    Parameter

SID

    Evidence

CE2731DAAC00E750

Instances

1069

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (High)Session ID in URL Rewrite

Description

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/bind?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498862102332&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&RID=36128&CVER=1&zx=ijg8lgffdze&t=1

    Method

POST

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/test?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498862102332&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&MODE=init&zx=lhfay4vqx8fa&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/test?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498858346396&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&MODE=init&zx=1bgy75pnlnd3&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/bind?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498857026495&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&RID=rpc&SID=749BB05DBAE0BEF5&CI=1&AID=18&TYPE=xmlhttp&zx=achdhiz2nzt9&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/test?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498861462435&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&TYPE=xmlhttp&zx=1vnapci568r7&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/bind?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498856672213&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&RID=rpc&SID=D6A93DA8908CD994&CI=1&AID=61&TYPE=xmlhttp&zx=e2i6f1v4v9am&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/bind?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498861011456&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&RID=72971&CVER=1&zx=3fny0xbw3050&t=1

    Method

POST

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/test?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498854982782&u=07824161828339778034&c=1&w=1&gsi=1&ar=4136&arat=vqHD1xFsXqLW2A&smv=2&cimpl=1&MODE=init&zx=5w4q8ku9qubd&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/bind?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498859417953&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&RID=9318&CVER=1&zx=6zpn5djvtnua&t=1

    Method

POST

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/bind?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498856672174&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&RID=rpc&SID=D6A93DA8908CD994&CI=1&AID=8&TYPE=xmlhttp&zx=o66af1noio5a&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/bind?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498857026534&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&RID=rpc&SID=3BF57F468ED9A1FF&CI=1&AID=20&TYPE=xmlhttp&zx=rnrrp7dmob1&t=1

    Method

GET

    Parameter

SID

    Evidence

3BF57F468ED9A1FF

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/test?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498857363013&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&TYPE=xmlhttp&zx=er92bokn3xpu&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/test?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498862102332&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&TYPE=xmlhttp&zx=gh1e05tpy49q&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/bind?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498859417953&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&RID=46525&CVER=1&zx=is7tjmmznzxo&t=1

    Method

POST

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/test?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498855962388&u=07824161828339778034&c=1&w=1&gsi=1&ar=4136&arat=vqHD1xFsXqLW2A&smv=2&cimpl=1&MODE=init&zx=fzuqadz6pdn6&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/bind?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498856672170&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&RID=99318&CVER=1&zx=7qvd5vpclepl&t=1

    Method

POST

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/test?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498857363013&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&TYPE=xmlhttp&zx=vkreguv922ms&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/test?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498862102332&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&TYPE=xmlhttp&zx=rfgrlq420n8r&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/bind?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498863786729&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&RID=rpc&SID=C87CD597EF594006&CI=1&AID=21&TYPE=xmlhttp&zx=4yfwflqiw7q5&t=1

    Method

GET

    Parameter

SID

    Evidence

C87CD597EF594006

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/test?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&VER=8&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874&lsq=1498855962387&u=07824161828339778034&c=1&w=1&gsi=1&smv=2&cimpl=1&TYPE=xmlhttp&zx=q69sis95p5o1&t=1

    Method

GET

    Parameter

sid

    Evidence

7a82a150184f02f7

Instances

1065

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (High)Session ID in URL Rewrite

Description

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

sid

    Evidence

00D6A00000027Fp!AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo

Instances

1

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (High)Session ID in URL Rewrite

Description

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=KZJyC7Kn4lZepDQc6yTWQqef-jyI1Syv&sw=true&VER=8&SID=DA35B7B2E601ADD5&RID=83166&AID=0&zx=vzjji2a6drl4&t=1

    Method

POST

    Parameter

SID

    Evidence

DA35B7B2E601ADD5

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=pqMAW3aVk4Hu48Se7L2ckydTFwLDGvYl&sw=true&VER=8&SID=213D5E8CF4016273&RID=46497&AID=0&zx=f7mragmq8uxa&t=1

    Method

POST

    Parameter

SID

    Evidence

213D5E8CF4016273

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=KYTehQTe0Hc8wcR6UtBv8xdtuVXsSEVe&sw=true&VER=8&SID=64C036047769400A&RID=77429&AID=1&zx=4otozh5wql9d&t=1

    Method

POST

    Parameter

SID

    Evidence

64C036047769400A

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=nsPBH7fU90taSH1OeXHdq8SPo_sF2_RR&sw=true&VER=8&RID=rpc&SID=2491E9F4EBCAC540&CI=1&AID=0&TYPE=xmlhttp&zx=yrtk7auakzd6&t=1

    Method

GET

    Parameter

SID

    Evidence

2491E9F4EBCAC540

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=ENzxafbuba6bPhVa8BU87pJSYqODT914&sw=true&VER=8&RID=rpc&SID=20EE6DD34B3ECF97&CI=1&AID=0&TYPE=xmlhttp&zx=7an6vyhaff71&t=1

    Method

GET

    Parameter

SID

    Evidence

20EE6DD34B3ECF97

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=JTBXppG1FN98IsbO05s9Cv9RQaMxPH5-&sw=true&VER=8&RID=rpc&SID=39F4FF25CF51D3AC&CI=1&AID=0&TYPE=xmlhttp&zx=mw1h3pfrb82q&t=1

    Method

GET

    Parameter

SID

    Evidence

39F4FF25CF51D3AC

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=KEKcfY3j6SyvWVuk_OFv0xp8r5H2fUWy&sw=true&VER=8&RID=rpc&SID=5329D7E804AF363E&CI=1&AID=0&TYPE=xmlhttp&zx=730sg4gn6449&t=1

    Method

GET

    Parameter

SID

    Evidence

5329D7E804AF363E

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=pP30gIyvxA9nod9KfH8KRlEfqxtDYX1s&sw=true&VER=8&RID=rpc&SID=D52594FEE69B5FDC&CI=1&AID=1&TYPE=xmlhttp&zx=a0uz4l74kbcq&t=1

    Method

GET

    Parameter

SID

    Evidence

D52594FEE69B5FDC

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=7nDsQO0-uhGH02YTTfbd0P8PJupTZNnr&sw=true&VER=8&RID=rpc&SID=67773F720DC75FAB&CI=1&AID=0&TYPE=xmlhttp&zx=9lfv8yrjuinp&t=1

    Method

GET

    Parameter

SID

    Evidence

67773F720DC75FAB

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=Xi6SOFO24RJjckB0w9TSiEL6AGVKshlf&sw=true&VER=8&RID=rpc&SID=6202DBD006322037&CI=1&AID=0&TYPE=xmlhttp&zx=ov6tfju3wy59&t=1

    Method

GET

    Parameter

SID

    Evidence

6202DBD006322037

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=DdXVbCX9c1RhWqql-1D1_OO-pGGblaCW&sw=true&VER=8&SID=AEFCB50B77D7412&RID=82648&AID=1&zx=y3799potvgw0&t=1

    Method

POST

    Parameter

SID

    Evidence

AEFCB50B77D7412

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=rwVMCme3dKrPgy6wSbm4YMzSf0coZHCS&sw=true&VER=8&RID=rpc&SID=75F543E52C1C33F8&CI=1&AID=1&TYPE=xmlhttp&zx=3dfmx94o0djd&t=1

    Method

GET

    Parameter

SID

    Evidence

75F543E52C1C33F8

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=KYTehQTe0Hc8wcR6UtBv8xdtuVXsSEVe&sw=true&VER=8&RID=rpc&SID=64C036047769400A&CI=1&AID=1&TYPE=xmlhttp&zx=l4c0x411qfal&t=1

    Method

GET

    Parameter

SID

    Evidence

64C036047769400A

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=KZJyC7Kn4lZepDQc6yTWQqef-jyI1Syv&sw=true&VER=8&SID=30EEBCBAE16B3B8&RID=4470&AID=1&zx=bx27w66b0d3s&t=1

    Method

POST

    Parameter

SID

    Evidence

30EEBCBAE16B3B8

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=7nDsQO0-uhGH02YTTfbd0P8PJupTZNnr&sw=true&VER=8&RID=rpc&SID=D0B1D525F57A84F1&CI=1&AID=1&TYPE=xmlhttp&zx=691mu9w3iiir&t=1

    Method

GET

    Parameter

SID

    Evidence

D0B1D525F57A84F1

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=hxZxpXxbNnijQNpFieIIDFGXbK-01fZz&sw=true&VER=8&SID=DA11A87AB396FA86&RID=12307&AID=1&zx=genqmmuka6jr&t=1

    Method

POST

    Parameter

SID

    Evidence

DA11A87AB396FA86

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=7nDsQO0-uhGH02YTTfbd0P8PJupTZNnr&sw=true&VER=8&RID=rpc&SID=D0B1D525F57A84F1&CI=1&AID=3&TYPE=xmlhttp&zx=g17jr4hzs76d&t=1

    Method

GET

    Parameter

SID

    Evidence

D0B1D525F57A84F1

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=Hn4U1iFaiYZYhqHP6zs-6ExcP8vgw2Iq&sw=true&VER=8&RID=rpc&SID=50429120B0B5AF5F&CI=1&AID=0&TYPE=xmlhttp&zx=dpdcgpsty9q6&t=1

    Method

GET

    Parameter

SID

    Evidence

50429120B0B5AF5F

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=s5pxVETbq9fnYM9bCugonfJ4KsLl4dHt&sw=true&VER=8&RID=rpc&SID=48859F99F6DBD60F&CI=1&AID=1&TYPE=xmlhttp&zx=ni3cyhrv1wlb&t=1

    Method

GET

    Parameter

SID

    Evidence

48859F99F6DBD60F

URL

https://cello.client-channel.google.com/client-channel/channel/bind?authuser=1&ctype=cello&service=appscommonstorage&gsessionid=rwVMCme3dKrPgy6wSbm4YMzSf0coZHCS&sw=true&VER=8&SID=75F543E52C1C33F8&RID=46374&AID=0&zx=vstcjm9za98w&t=1

    Method

POST

    Parameter

SID

    Evidence

75F543E52C1C33F8

Instances

135

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (High)Session ID in URL Rewrite

Description

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=633&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=38&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=190&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=158&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=130&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=709&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=176&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=119&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=105&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=166&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=94&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=147&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=141&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=187&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=304&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=101&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=159&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=203&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=179&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

URL

https://d.la1-c2-phx.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=4003f07b-1dfe-4d8d-a693-454e815e3e10&r=172&Availability.prefix=Visitor&Availability.ids=%5B57330000000MBlR%5D&callback=liveagent._.handlePing&deployment_id=57230000000DmsR&org_id=00D000000000062&version=36

    Method

GET

    Parameter

sid

    Evidence

4003f07b-1dfe-4d8d-a693-454e815e3e10

Instances

45

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (High)Session ID in URL Rewrite

Description

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL

https://docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/save?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&c=1&w=1&smv=2&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874

    Method

POST

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/scripts/uiready?ruid=192&id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&ctx=%7B%22gid%22%3A%220%22%2C%22scol%22%3A1%2C%22ecol%22%3A4%2C%22srow%22%3A8%2C%22erow%22%3A10%7D&sid=c7ee7541bf56334&c=1&w=1&smv=27&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534

    Method

POST

    Parameter

sid

    Evidence

c7ee7541bf56334

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/bind?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=1498853173111&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&SID=FEF68874CB2DACFF&RID=17470&TYPE=terminate&zx=krql64l6u28p

    Method

GET

    Parameter

SID

    Evidence

FEF68874CB2DACFF

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/test?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=-1&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&MODE=init&zx=am77rbtx5gju&t=1

    Method

GET

    Parameter

sid

    Evidence

c7ee7541bf56334

URL

https://docs.google.com/comments/u/108051834801949350428/d/AAHRpnXvrdt6XCTqtMtxKXy7-ACMT9oo-vZ9pC-dnITs_Fb9898jBfGwMT2jIW9X3UqhT05Rs59qPyb6f7Ka_mlUp5DcqoORJRxir97CEbJLuvSQWOM5V4y4/docos/p/sync?id=AAHRpnXvrdt6XCTqtMtxKXy7-ACMT9oo-vZ9pC-dnITs_Fb9898jBfGwMT2jIW9X3UqhT05Rs59qPyb6f7Ka_mlUp5DcqoORJRxir97CEbJLuvSQWOM5V4y4&sid=7dafbf3f1e45af9b&c=0&w=0&smv=27&token=AGNctVaQvbCwcJA_se5b1U78-dCI4vHCMg%3A1498853173674

    Method

POST

    Parameter

sid

    Evidence

7dafbf3f1e45af9b

URL

https://docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/docos/p/sync?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&c=1&w=1&smv=2&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874

    Method

POST

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/scripts/uiready?ruid=417&id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&ctx=%7B%22cur%22%3A1%2C%22rng%22%3A%5B%5D%2C%22rev%22%3A4136%2C%22ssid%22%3A%227a82a150184f02f7%22%2C%22docId%22%3A%221XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY%22%2C%22app%22%3A%22KIX%22%7D&sid=7a82a150184f02f7&c=1&w=1&smv=2&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874

    Method

POST

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/bind?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=1498853173111&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&SID=FEF68874CB2DACFF&RID=17470&TYPE=terminate&zx=krql64l6u28p

    Method

GET

    Parameter

sid

    Evidence

c7ee7541bf56334

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/externaldata/fetchData?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&c=1&w=1&smv=27&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534

    Method

POST

    Parameter

sid

    Evidence

c7ee7541bf56334

URL

https://docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/delta?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&c=1&w=1&smv=2&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874

    Method

POST

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/fetchrows?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&c=1&w=1&smv=27&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534

    Method

POST

    Parameter

sid

    Evidence

c7ee7541bf56334

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/delta?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&c=1&w=1&smv=27&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534

    Method

POST

    Parameter

sid

    Evidence

c7ee7541bf56334

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/bind?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=-1&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&RID=17469&CVER=1&zx=e18awjwbw8gl&t=1

    Method

POST

    Parameter

sid

    Evidence

c7ee7541bf56334

URL

https://docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/active?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&sid=7a82a150184f02f7&c=1&w=1&smv=2&token=AC4w5Vg8D7pxF_UrSa0qsbKQ4ONXA00jQQ%3A1498853924874

    Method

POST

    Parameter

sid

    Evidence

7a82a150184f02f7

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/leave?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&sid=c7ee7541bf56334&c=1&w=1&smv=27

    Method

POST

    Parameter

sid

    Evidence

c7ee7541bf56334

Instances

15

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (High)Session ID in URL Rewrite

Description

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL

https://m.addthis.com/live/red_lojson/300lo.json?si=5956bf8b449f0662&bkl=0&bl=1&pdt=1599&sid=5956bf8b449f0662&pub=ra-4e9e731461d9e491&rev=v7.15.4-wp&ln=en&pc=men&cb=0&ab=-&dp=peal.io&dr=www.google.com&fp=soundboards%2Frick-and-morty&fr=&of=0&pd=0&irt=1&vcl=1&md=0&ct=1&tct=0&abt=0&cdn=0&pi=1&rb=4&gen=100&chr=UTF-8&colc=1498857359331&jsl=8321&uvs=5956bf8bd34eeafa000&skipb=1&callback=addthis.cbs.oln9_84126225628902710

    Method

GET

    Parameter

sid

    Evidence

5956bf8b449f0662

Instances

1

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (High)Session ID in URL Rewrite

Description

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

sid

    Evidence

00D6A00000027Fp!AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin

Instances

1

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (High)Session ID in URL Rewrite

Description

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

sid

    Evidence

00D6A00000027Fp!AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm

Instances

1

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (High)Session ID in URL Rewrite

Description

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

sid

    Evidence

00D6A00000027Fp!AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt

Instances

1

Solution

For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://1.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22hangouts%22%2C%226%22%3A%22StartPage%22%2C%227%22%3A%22chat_frontend_20170626.09_p0%22%2C%228%22%3Afalse%2C%2213%22%3Afalse%7D&ctype=hangouts&xpc=%7B%22cn%22%3A%228k9Lwx3rah%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2F1.client-channel.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://1.docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/xdbcm.html?internal=false&gcp=%7B%22qlc%22%3Anull%2C%22elh%22%3Afalse%2C%22eoo%22%3Atrue%7D&rt=j&xpc=%7B%22cn%22%3A%22docs%22%2C%22tp%22%3A1%2C%22osh%22%3Atrue%2C%22ppu%22%3A%22https%3A%2F%2Fdocs.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2F1.docs.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://5406241.fls.doubleclick.net/activityi;dc_pre=CLaavJWG5tQCFQ2Mfgod2b8MBA;src=5406241;type=trell0;cat=trell0;u2=trello;u3=8eac44fd3d5fbec8;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=3819187072670740

    Method

GET

    Parameter

X-Frame-Options

URL

https://5406241.fls.doubleclick.net/activityi;dc_pre=CNHIoJiG5tQCFQ6OfgodM6YIYw;src=5406241;type=remar0;cat=trell0;u2=trello;u3=5857f67f-343e-4c09-8947-885ecdd03ac9;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=8480951065438440

    Method

GET

    Parameter

X-Frame-Options

URL

https://5406241.fls.doubleclick.net/activityi;dc_pre=CMWs_76F5tQCFdVifgod5A4D6A;src=5406241;type=remar0;cat=trell0;u2=trello;u3=5857f67f-343e-4c09-8947-885ecdd03ac9;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2565392734378304.5

    Method

GET

    Parameter

X-Frame-Options

URL

https://5406241.fls.doubleclick.net/activityi;dc_pre=CMLRupaG5tQCFc2VfgoduW8Brw;src=5406241;type=trell0;cat=trell0;u2=trello;u3=9f288a64296073d6;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=394339802540451

    Method

GET

    Parameter

X-Frame-Options

URL

https://5406241.fls.doubleclick.net/activityi;dc_pre=CPnfyLyO5tQCFc-TfgodMtkOnA;src=5406241;type=remar0;cat=trell0;u2=trello;u3=5857f67f-343e-4c09-8947-885ecdd03ac9;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=9736719691638176

    Method

GET

    Parameter

X-Frame-Options

Instances

5

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=http%3A%2F%2Fwww.bankshot.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Frame-Options

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fhangouts.google.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCN-gGvjEWU-zXLYV7GJfMM0J9oEqQ

    Method

GET

    Parameter

X-Frame-Options

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay609015277&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=1188900850%7C0.3663509669&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

X-Frame-Options

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fconsole.developers.google.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Frame-Options

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay1282987641&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=674248473%7C0.4265463295&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

X-Frame-Options

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Ftrello.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

X-Frame-Options

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fdrive.google.com&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

X-Frame-Options

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay662831281&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=436729601%7C0.13306347&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

X-Frame-Options

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fdocs.google.com&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

X-Frame-Options

URL

https://accounts.google.com/b/0/ListAccounts?listPages=0&pid=331&mo=1&mn=1&hl=en&origin=https%3A%2F%2Fdevelopers.google.com

    Method

GET

    Parameter

X-Frame-Options

Instances

10

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://api.amplitude.com/

    Method

POST

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://apikeys.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://apis.google.com/u/0/se/0/_/+1/fastbutton?usegapi=1&origin=http%3A%2F%2Fwww.bankshot.com&url=http%3A%2F%2Fwww.bankshot.com%2F&gsrc=3p&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Frame-Options

URL

https://apis.google.com/u/1/_/hovercard/card?userid=108051834801949350428&hl=en&src=docs&origin=https%3A%2F%2Fdocs.google.com&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

X-Frame-Options

Instances

2

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://appexchange.salesforce.com/pixel?type=linkedin&comingPage=AppExchangeLayout

    Method

GET

    Parameter

X-Frame-Options

URL

https://appexchange.salesforce.com/components

    Method

GET

    Parameter

X-Frame-Options

URL

https://appexchange.salesforce.com/pixel?type=twitter&comingPage=AppExchangeLayout

    Method

GET

    Parameter

X-Frame-Options

URL

https://appexchange.salesforce.com/

    Method

GET

    Parameter

X-Frame-Options

URL

https://appexchange.salesforce.com/pixel?type=doubleclick&comingPage=HomePage

    Method

GET

    Parameter

X-Frame-Options

URL

https://appexchange.salesforce.com/pixel?type=adwords&comingPage=AppExchangeLayout

    Method

GET

    Parameter

X-Frame-Options

URL

https://appexchange.salesforce.com/results?type=Component&keywords=shopify

    Method

GET

    Parameter

X-Frame-Options

URL

https://appexchange.salesforce.com/pixel?type=facebook&comingPage=AppExchangeLayout

    Method

GET

    Parameter

X-Frame-Options

URL

https://appexchange.salesforce.com/results?keywords=shopify

    Method

GET

    Parameter

X-Frame-Options

Instances

9

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://bootstrap.livefyre.com/api/v4/configuration/microsoft.fyre.co/site/381623/?section=translations&translations.lang_code=en-US&translations.app=sidenotes

    Method

GET

    Parameter

X-Frame-Options

URL

https://bootstrap.livefyre.com/api/v4/configuration/microsoft.fyre.co/site/381623/?section=translations&translations.lang_code=en-US&translations.app=comment-component

    Method

GET

    Parameter

X-Frame-Options

URL

https://bootstrap.livefyre.com/api/v4/configuration/microsoft.fyre.co/?section=translations&translations.lang_code=en-US&translations.app=identity

    Method

GET

    Parameter

X-Frame-Options

Instances

3

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)Referer Exposes Session ID

Description

A hyperlink pointing to anther host name was found. As session ID URL rewrite is used, it may be disclosed in referer header to external hosts.

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=/one/one.app&sid=00D6A00000027Fp!AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug=

    Method

GET

    Parameter

N/A

    Attack

na50.salesforce.com

    Evidence

na50.salesforce.com

Instances

1

Solution

This is a risk if the session ID is sensitive and the hyperlink refers to an external or third party host. For secure content, put session ID in secured session cookie.

Reference

http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html

CWE Id

200

WASC Id

13

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://c.salesforce.com/login-messages/promos.html

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://cas.criteo.com/delivery/afr.php?ptv=18&abp=1&zoneid=388248&cb=38278157350&nodis=1&charset=UTF-8&dc=3&atfr=0&loc=https%3A%2F%2Fteamforcesite.wordpress.com%2F2016%2F07%2F21%2Fintegration-of-salesforce-with-shopify-application%2F

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://cello.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22cello%22%2C%224%22%3A%22appscommonstorage%22%2C%228%22%3Afalse%2C%2213%22%3Atrue%7D&ctype=cello&sw=true&xpc=%7B%22cn%22%3A%22ANbuqYeh4V%22%2C%22ppu%22%3A%22https%3A%2F%2Fdrive.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fcello.client-channel.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

X-Frame-Options

URL

https://cello.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22cello%22%2C%224%22%3A%22appscommonstorage%22%2C%228%22%3Afalse%2C%2213%22%3Atrue%7D&ctype=cello&sw=true&xpc=%7B%22cn%22%3A%229ljBhyvlXo%22%2C%22ppu%22%3A%22https%3A%2F%2Fdrive.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fcello.client-channel.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

X-Frame-Options

Instances

2

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)Application Error Disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

URL

https://cfl.dropboxstatic.com/static/compiled/js/external/moxie.min-vflBUG7Sb.js

    Method

GET

    Evidence

Internal Server Error

Instances

1

Solution

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

Reference

CWE Id

200

WASC Id

13

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://clientauthconfig.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://clients4.google.com/invalidation/lcs/client?authuser=1&service=appscommonstorage&xpc=%7B%22cn%22%3A%22UcJOl1xclK%22%2C%22ppu%22%3A%22https%3A%2F%2Fdrive.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fclients4.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

X-Frame-Options

URL

https://clients4.google.com/invalidation/lcs/client?xpc=%7B%22cn%22%3A%22B4A4I6sYqC%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fclients4.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

X-Frame-Options

URL

https://clients4.google.com/invalidation/lcs/client?authuser=1&service=appscommonstorage&xpc=%7B%22cn%22%3A%22ZsUyMzJF0u%22%2C%22ppu%22%3A%22https%3A%2F%2Fdrive.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fclients4.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

X-Frame-Options

Instances

3

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://cloudresourcemanager.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://cloudusersettings-pa.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://console.developers.google.com/henhouse/?pb=%5B%22hh-0%22%2C%22geocoding_backend%22%2Cnull%2C%5B%5D%2C%22https%3A%2F%2Fdevelopers.google.com%22%2Cnull%2C%5B%5D%2Cnull%2Cnull%2Cnull%2Cnull%2C%5B%5D%5D

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://content.googleapis.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://d14qd3he45186l.cloudfront.net/ads-search32.html

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)Application Error Disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

URL

https://developers.google.com/_s/getsuggestions?hl=en&s=cloud&c=1

    Method

GET

    Evidence

Error Report

Instances

1

Solution

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

Reference

CWE Id

200

WASC Id

13

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://dl.dropboxusercontent.com/xls/preview_shared/RCls7zOXNkebeRTYr4shyzkcqH9DryVibjcr4opYeZM93Cir8DqK6eDtRSSEWwQY/file?dl=0&get_preview=1&revision_id=A5oFVMits38H-kZECwZWMwjiQMtUpKVKLloAhMdx5Fzf9lBDqzNEipYZJyRXBW6MQsCjX_thsfgayALXhIK46W5yHzbUye4k1sDC7yGLqDWMfpNmfVYxcZ3EzEsyKki-d70

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://docs.google.com/drawings/u/1/preload

    Method

GET

    Parameter

X-Frame-Options

URL

https://docs.google.com/presentation/u/1/preload

    Method

GET

    Parameter

X-Frame-Options

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/edit?usp=drive_web

    Method

GET

    Parameter

X-Frame-Options

URL

https://docs.google.com/document/u/1/preload

    Method

GET

    Parameter

X-Frame-Options

URL

https://docs.google.com/offline/iframeapi?ouid=uc0046c710a5324d5

    Method

GET

    Parameter

X-Frame-Options

URL

https://docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/edit?usp=drive_web

    Method

GET

    Parameter

X-Frame-Options

URL

https://docs.google.com/spreadsheets/u/1/preload

    Method

GET

    Parameter

X-Frame-Options

Instances

7

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)Application Error Disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

URL

https://docs.google.com/static/spreadsheets2/ad4d0544de/ritz/7BED558C4DA4290BD11581C846B84078.cache.js

    Method

GET

    Evidence

internal error

URL

https://docs.google.com/static/spreadsheets2/ad4d0544de/ritz/114E6F745C3FD267DB281DA05F9566F0.cache.js

    Method

GET

    Evidence

internal error

URL

https://docs.google.com/static/document/client/js/4068213557-kix_main_i18n_kix_core.js

    Method

GET

    Evidence

Unknown table

Instances

3

Solution

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

Reference

CWE Id

200

WASC Id

13

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://drive.google.com/drive/u/1/preload

    Method

GET

    Parameter

X-Frame-Options

URL

https://drive.google.com/drive/serviceworker/update?ouid=u48e5c42088eda700

    Method

GET

    Parameter

X-Frame-Options

URL

https://drive.google.com/drive/offline/cacheupdate

    Method

GET

    Parameter

X-Frame-Options

URL

https://drive.google.com/doclist/offline/cacheupdater?ouid=u48e5c42088eda700&delete_cache=0

    Method

GET

    Parameter

X-Frame-Options

URL

https://drive.google.com/file/u/1/preload

    Method

GET

    Parameter

X-Frame-Options

Instances

5

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://email-app.s7.marketingcloudapps.com/

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)Application Error Disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

URL

https://email-app.s7.marketingcloudapps.com/bower_components/ckeditor/lang/en.js?t=F61A

    Method

GET

    Evidence

internal error

Instances

1

Solution

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

Reference

CWE Id

200

WASC Id

13

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://google-developers.appspot.com/maps/documentation/utils/geocoder/embed

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://gspe1-ssl.ls.apple.com/pep/gcc

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://hangouts.google.com/webchat/frame3?zx=1498502060

    Method

GET

    Parameter

X-Frame-Options

URL

https://hangouts.google.com/hangouts/_/hscv?pvt=AMP3uWYxeMYkl3vqyynUFdBXbzed0aKeSlOBXimW9Y0EODzu1tEIhoBrncrq48p_0Rh-dkNIx8CMsF0qhJb261J7xQgvjeQEeA&authuser=0&xpc=%7B%22cn%22%3A%22qUyV1iYi1n%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

X-Frame-Options

URL

https://hangouts.google.com/webchat/u/0/frame?v=1498502060&hl=en&pvt=AMP3uWZdUR2AoDUrQWWh_gnaiMvVzB_xfCxx53HFvX-HNN2Uv7H-0lkLsQzriLLU5JEIVEl1hoGWiTWKzEq5TrdhZrF-lz7dZg%3D%3D&prop=gmail

    Method

GET

    Parameter

X-Frame-Options

URL

https://hangouts.google.com/webchat/load?prop=StartPage&pvt=AMP3uWYxeMYkl3vqyynUFdBXbzed0aKeSlOBXimW9Y0EODzu1tEIhoBrncrq48p_0Rh-dkNIx8CMsF0qhJb261J7xQgvjeQEeA&fc=https://hangouts.google.com&ds&hl=en&zx=0.10308532660983882

    Method

GET

    Parameter

X-Frame-Options

Instances

4

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://help.salesforce.com/sCSS/40.0/1497971282000/PortalDefault/gc/dStandard.css

    Method

GET

    Parameter

X-Frame-Options

URL

https://help.salesforce.com/sCSS/40.0/1498857922000/PortalDefault/00D30000000XsfG/06030000000M1Pu/gc/portal.css

    Method

GET

    Parameter

X-Frame-Options

URL

https://help.salesforce.com/setSFXCookie?value=sfx

    Method

GET

    Parameter

X-Frame-Options

Instances

3

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://iam.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://images-na.ssl-images-amazon.com/images/G/01/ape/sf/desktop/sf-1.05._V508917648_.html

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://marketing.dropbox.com/s/%3Atkey/%2Apath?referrer=

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://mc.exacttarget.com/cloud/

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://mc.s7.exacttarget.com/cloud/

    Method

GET

    Parameter

X-Frame-Options

URL

https://mc.s7.exacttarget.com/cloud/login.html?hash=logged-inI2FwcC9FbWFpbC9DMTIvRGVmYXVsdC5hc3B4P2VudGl0eVR5cGU9bm9uZSZlbnRpdHlJRD0wJTIzU3Vic2NyaWJlcnMvQ3VzdG9tT2JqZWN0cy8zMzI2Mi8_dHM9MTQ5ODg1NTMxODU4MA==

    Method

GET

    Parameter

X-Frame-Options

URL

https://mc.s7.exacttarget.com/cloud/legacy-dashboard.html?hub=1

    Method

GET

    Parameter

X-Frame-Options

URL

https://mc.s7.exacttarget.com/AutomationStudioFuel3/?hub=1

    Method

GET

    Parameter

X-Frame-Options

URL

https://mc.s7.exacttarget.com/cloud/login.html?hash=logged-inIw%3d%3d

    Method

GET

    Parameter

X-Frame-Options

URL

https://mc.s7.exacttarget.com/cloud/tools/SSO.aspx?legacy=1&env=default&appId=6DF293A1-4FDC-41CD-AA08-89EFC793C33C&hp=dmZFdTZzVXY0WVk9

    Method

GET

    Parameter

X-Frame-Options

Instances

6

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)Application Error Disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

URL

https://mc.s7.exacttarget.com/rest//beta/folder/0/

    Method

GET

    Evidence

HTTP/1.1 500 Internal Server Error

URL

https://mc.s7.exacttarget.com/rest//beta/folder/undefined/

    Method

GET

    Evidence

HTTP/1.1 500 Internal Server Error

Instances

2

Solution

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

Reference

CWE Id

200

WASC Id

13

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://members.s7.exacttarget.com/SessionWarning.aspx?pl=7003320&c=fea0

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinitionListing.aspx?CategoryID=33264&CategoryName=Reengagement+Campaign

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinitionListing.aspx?saved=true&CategoryID=33264&CategoryName=Query

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Include/Init.aspx?MemberID=fe8d13727663057a72&EmployeeID=fe9a13767567077d77&BrandID=fe92137075660d7873&ImpersonatingEmployeeID=fe9a13767567077d77&ImpersonatingMemberID=fe8d13727663057a72&SFSubID=0&SFContactName=&c=true&entityType=&entityID=&entityAction=&s=True

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinitionListing.aspx?CategoryID=33264&CategoryName=Reengagement&

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinitionListing.aspx?saved=true&CategoryID=33264&CategoryName=Reengagement+Campaign

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/NavTree.aspx

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Administration/SendManagement/SendDefinitionListing.aspx?saved=True&CategoryID=2888

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/TreeNavItem.aspx?Section=subscribers&categoryID=33262&entityType=subscribers&entityID=1

    Method

POST

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Administration/SendManagement/SendDefinitionListing.aspx?CategoryID=2888&CategoryName=User-Initiated

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/TreeNavItem.aspx?Section=interactions&categoryID=2888

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/TreeNavItem.aspx?Section=subscribers&categoryID=33262&entityType=subscribers&entityID=1

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinitionListing.aspx?CategoryID=2893&CategoryName=Query

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinition.aspx?id=3ec96243-ebd7-4d61-a7a9-e188e321fd13&CategoryID=33264&CategoryName=Reengagement+Campaign

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Email/EmailAppContainer.aspx?m=6

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinition.aspx?id=3ac682ad-dae9-492a-8a46-13e99599f665&CategoryID=33264&CategoryName=Reengagement+Campaign

    Method

POST

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinition.aspx?id=3ac682ad-dae9-492a-8a46-13e99599f665&CategoryID=33264&CategoryName=Reengagement+Campaign

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Error.aspx?aspxerrorpath=/C12/%25%25=v(@coll_img)=%25%25

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinition.aspx?CategoryID=33264

    Method

GET

    Parameter

X-Frame-Options

URL

https://members.s7.exacttarget.com/Error.aspx?aspxerrorpath=/C12/%25%25=CONCAT(@image_base_url,%20@prod_img)=%25%25

    Method

GET

    Parameter

X-Frame-Options

Instances

30

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)Application Error Disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

URL

https://na50.lightning.force.com/l/%7B%22mode%22%3A%22PROD%22%2C%22app%22%3A%22one%3Aone%22%2C%22fwuid%22%3A%22egTJsAb7_Esngaq3zUvPDw%22%2C%22loaded%22%3A%7B%22APPLICATION%40markup%3A%2F%2Fone%3Aone%22%3A%22Io3iMpQJM65fyjsQSubsag%22%7D%2C%22requestedLocales%22%3A%5B%22en_US%22%2C%22en%22%5D%2C%22pathPrefix%22%3A%22%22%2C%22ls%22%3A%22YY%22%2C%22m%22%3A1%7D/bootstrap.js?jwt=453e907336444610a71b3ae0586fa05f59f29d21537ced9bc7243494870036c7

    Method

GET

    Evidence

internal error

URL

https://na50.lightning.force.com/aura?r=3&Flexipage.getPage=1

    Method

POST

    Evidence

internal error

Instances

2

Solution

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

Reference

CWE Id

200

WASC Id

13

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://notifications.google.com/u/0/widget?sourceid=300&hl=en&origin=https%3A%2F%2Fhangouts.google.com&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://platform.twitter.com/widgets/follow_button.bac917c749f65aefd5f37c272c7c3538.en.html

    Method

GET

    Parameter

X-Frame-Options

URL

https://platform.twitter.com/jot.html

    Method

GET

    Parameter

X-Frame-Options

Instances

2

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://public-api.wordpress.com/wp-admin/rest-proxy/

    Method

GET

    Parameter

X-Frame-Options

URL

https://public-api.wordpress.com/connect/?googleplus-sign-in=https%3A%2F%2Fteamforcesite.wordpress.com

    Method

GET

    Parameter

X-Frame-Options

Instances

2

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://rcsfl.na50.visual.force.com/apex/OpenCTIIndex999?mode=Lightning&isdtp=vw&sfdcIframeOrigin=https%3A%2F%2Fna50.lightning.force.com

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://salesforcecom.demdex.net/dest5.html?d_nsid=0

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://servicemanagement.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)Application Error Disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

URL

https://servicemanagement.clients6.google.com/v1/services?%24prettyPrint=false&category=servicemanagement.googleapis.com%2Fcategories%2Fgoogle-services&key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g

    Method

GET

    Evidence

Error Report

Instances

1

Solution

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

Reference

CWE Id

200

WASC Id

13

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://ssl.gstatic.com/chrome/components/doodle-notifier-01.html

    Method

GET

    Parameter

X-Frame-Options

URL

https://ssl.gstatic.com/chrome/components/doodle-notifier-02.html

    Method

GET

    Parameter

X-Frame-Options

Instances

2

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://static.addtoany.com/menu/sm.16.html

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://static.eu.criteo.net/empty.html

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://tos-pa.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://tracker.toptal.com/?email=hdspeedfreak%40gmail.com&password=fxdl97&remember_me=on

    Method

GET

    Parameter

X-Frame-Options

URL

https://tracker.toptal.com/signin

    Method

GET

    Parameter

X-Frame-Options

URL

https://tracker.toptal.com/app/reports

    Method

GET

    Parameter

X-Frame-Options

Instances

3

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://widgets.wp.com/likes/

    Method

GET

    Parameter

X-Frame-Options

URL

https://widgets.wp.com/likes/master.html?ver=20170206

    Method

GET

    Parameter

X-Frame-Options

Instances

2

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://www.adsensecustomsearchads.com/afs/ads?q=screwpop&adpage=1&ccfn=amazon_numbered_three_column_for_non_Search&r=m&fexp=21404%2C17300003&client=amazon&channel=g-channel-79%2Bg-channel-223&hl=en&adtest=off&type=0&oe=UTF-8&ie=UTF-8&jsei=3&format=n3&ad=n3&nocache=3301498854698925&num=0&output=uds_ads_only&v=3&bsl=10&u_his=4&u_tz=-420&dt=1498854698929&u_w=1920&u_h=1080&biw=-12245933&bih=-12245933&isw=1255&ish=1&psw=1255&psh=0&frm=2&uio=uv3-&jsv=18065&rurl=https%3A%2F%2Fd14qd3he45186l.cloudfront.net%2Fads-search32.html&referer=www.amazon.com

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.adsensecustomsearchads.com/afs/ads?q=screwpop&adpage=1&ccfn=amazon_numbered&r=m&fexp=21404%2C17300003&client=amazon&channel=g-channel-92%2Bg-channel-136%2Bg-channel-334&hl=en&adtest=off&type=0&oe=UTF-8&ie=UTF-8&jsei=3&format=n4&ad=n4&nocache=151498854653972&num=0&output=uds_ads_only&v=3&bsl=10&u_his=3&u_tz=-420&dt=1498854653973&u_w=1920&u_h=1080&biw=-12245933&bih=-12245933&isw=1059&ish=1&psw=1059&psh=0&frm=2&uio=uv3-&jsv=18065&rurl=https%3A%2F%2Fd14qd3he45186l.cloudfront.net%2Fads-search32.html&referer=www.amazon.com

    Method

GET

    Parameter

X-Frame-Options

Instances

2

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://www.facebook.com/v2.5/plugins/like.php?action=like&app_id=&channel=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df32dcb706915634%26domain%3Dwww.bankshot.com%26origin%3Dhttp%253A%252F%252Fwww.bankshot.com%252Ffcdb80a5a24e7%26relation%3Dparent.parent&container_width=90&height=65&href=http%3A%2F%2Fwww.bankshot.com%2F&layout=button_count&locale=en_US&sdk=joey&share=false&show_faces=false&width=55

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.facebook.com/v2.8/plugins/page.php?adapt_container_width=true&app_id=286393578041613&channel=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df9ab33c2f793c8%26domain%3Dvinjabond.com%26origin%3Dhttp%253A%252F%252Fvinjabond.com%252Ff31d30a8bb74a4%26relation%3Dparent.parent&container_width=548&hide_cover=false&href=https%3A%2F%2Fwww.facebook.com%2Fjohnvinjabondcain%2F&locale=en_US&sdk=joey&show_facepile=false&small_header=false&width=500

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.facebook.com/v2.5/plugins/like.php?action=like&app_id=&channel=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df2318bd9123311c%26domain%3Dwww.bankshot.com%26origin%3Dhttp%253A%252F%252Fwww.bankshot.com%252Ffcdb80a5a24e7%26relation%3Dparent.parent&container_width=90&height=65&href=http%3A%2F%2Fwww.bankshot.com%2F&layout=button_count&locale=en_US&sdk=joey&share=false&show_faces=false&width=55

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.facebook.com/plugins/like.php?action=like&app_id=888888054527796&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Dfc4d3f9f12f224%26domain%3Dpeal.io%26origin%3Dhttps%253A%252F%252Fpeal.io%252Ff1c70fc52cfba58%26relation%3Dparent.parent&container_width=0&href=https%3A%2F%2Fwww.facebook.com%2Fpages%2FPeal%2F498043440371860&layout=button_count&locale=en_US&sdk=joey&share=false&show_faces=false

    Method

GET

    Parameter

X-Frame-Options

Instances

4

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwiq8tqsrebUAhUG5WMKHVmXDyYQFggoMAA&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql&usg=AFQjCNGg93xh13lQ-TagfAD0cxGZNZmuNg

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0ahUKEwj7vP-qwubUAhVCwWMKHSKvA48QFgg5MAM&url=https%3A%2F%2Fdevelopers.google.com%2Fmaps%2Fdocumentation%2Fgeocoding%2Fintro&usg=AFQjCNEoQp87kztDFCchzqbJULtBHeHOOA

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0ahUKEwjA4N6olObUAhUTHGMKHVf1CFwQFghHMAU&url=https%3A%2F%2Fwww.sqlservercentral.com%2FForums%2F262686%2FThe-conversion-from-datetime-data-type-to-smalldatetime-data-type-resulted-in-a-smalldatetime-overflow-error&usg=AFQjCNHfUHpX0ONh7sSE7jqOfDXtJ5-dyg

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjP5_r8l-bUAhUB32MKHQMJBlgQFggrMAA&url=https%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fsqlserver%2Fen-US%2Ffc7008b5-6ad1-4f55-a7e0-979ca69d6ffa%2Fimplict-converion-from-datime-to-smalldatetime%3Fforum%3Dtransactsql&usg=AFQjCNEOiv5IPkJk-rW8vnq61FaBufIMBg

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjCuPj5rebUAhVS6GMKHe1oCcwQFggoMAA&url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F1135746%2Fsql-server-convert-string-to-datetime&usg=AFQjCNFPJ83WHYjKaodrT7Hvwu8PwaQ2Yw

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0ahUKEwi2u6zjvubUAhVJ-GMKHVJxCrkQFgg0MAI&url=http%3A%2F%2Fwww.instantrapairhorn.com%2F&usg=AFQjCNHLqpoQB0_dcXmMTFLg62fcqtXtng

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/ads/user-lists/1072226410/?random=1498844956258&cv=8&fst=1498844956247&num=2&fmt=1&label=x3P_CIql1gMQ6sCj_wM&guid=ON&u_h=1080&u_w=1920&u_ah=987&u_aw=1920&u_cd=24&u_his=3&u_tz=-420&u_java=false&u_nplug=4&u_nmime=5&frm=0&url=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&ref=https%3A%2F%2Fwww.google.com%2F&tiba=Basics%20for%20working%20with%20DATETIME%20and%20SMALLDATETIME%20in%20SQL%20Server%202005&cdct=2&is_vtc=1&random=2234959071&fpvtc=/1072226410/%3Frandom%3D297113782%26cv%3D8%26fst%3D1498842000000%26num%3D2%26fmt%3D1%26label%3Dx3P_CIql1gMQ6sCj_wM%26guid%3DON%26u_h%3D1080%26u_w%3D1920%26u_ah%3D987%26u_aw%3D1920%26u_cd%3D24%26u_his%3D3%26u_tz%3D-420%26u_java%3Dfalse%26u_nplug%3D4%26u_nmime%3D5%26frm%3D0%26url%3Dhttp%253A%252F%252Fsearchsqlserver.techtarget.com%252Ftip%252FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005%26ref%3Dhttps%253A%252F%252Fwww.google.com%252F%26tiba%3DBasics%2520for%2520working%2520with%2520DATETIME%2520and%2520SMALLDATETIME%2520in%2520SQL%2520Server%25202005%26cdct%3D2%26is_vtc%3D1

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0ahUKEwipg7ObyebUAhVM5WMKHSoSCHEQFggzMAI&url=http%3A%2F%2Fwww.bankshot.com%2F&usg=AFQjCNHMVA-YG2CtQnbiblqI4lQwdQ_bMQ

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjs1PWruubUAhUJzGMKHdiUBmgQFggoMAA&url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F5591473%2Ferror-string-or-binary-data-would-be-truncated-when-trying-to-insert&usg=AFQjCNHEFsBoZPJwjIP3Z8MOhLS5DxZB9Q

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0ahUKEwjT0Y-2rubUAhVR62MKHTDeDwsQFgg0MAE&url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F12099059%2Fhow-to-convert-varchar-to-datetime-in-t-sql&usg=AFQjCNGFIgQfhdEFL3G1_RPnxL1o3L8N8A

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0ahUKEwib9KOnyebUAhVI2mMKHVfnBpAQFgg-MAQ&url=http%3A%2F%2Fwww.getbankshot.com%2F&usg=AFQjCNGCwMPxjzQT0hlUDWarQrXBK_7UNg

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?q=https%3A%2F%2Fwww.amazon.com%2FScrewpop-Utility-Stainless-Multi-tool-Bottle%2Fdp%2FB00UZHT432%2Fref%3Dsr_1_2%3Fie%3DUTF8%26qid%3D1498854649%26sr%3D8-2%26keywords%3Dscrewpop&sa=D&sntz=1&usg=AFQjCNHDaNRvFarmjtTQ3JUx0WywOCDG0g

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwj0-8XdvubUAhVC0mMKHdNBDOQQFggoMAA&url=https%3A%2F%2Fpeal.io%2Fsoundboards%2Frick-and-morty&usg=AFQjCNF1FzPcXdf5tQlo6ceH1tko5y0xTA

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0ahUKEwiOw5vjj-bUAhUG8mMKHebCBmAQFgguMAE&url=https%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fsqlserver%2Fen-US%2Ffc7008b5-6ad1-4f55-a7e0-979ca69d6ffa%2Fimplict-converion-from-datime-to-smalldatetime%3Fforum%3Dtransactsql&usg=AFQjCNEOiv5IPkJk-rW8vnq61FaBufIMBg

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwj03OiKrubUAhVYHGMKHSe1DfAQFggoMAA&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql&usg=AFQjCNGg93xh13lQ-TagfAD0cxGZNZmuNg

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0ahUKEwiOw5vjj-bUAhUG8mMKHebCBmAQFghdMAY&url=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&usg=AFQjCNEoqOMn6DJkVSJ-KSg8H_O1kpLGuA

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0ahUKEwj4k7i0subUAhVG82MKHUJLCLwQFghFMAE&url=https%3A%2F%2Fapps.shopify.com%2Fintegrations%2Fsalesforce&usg=AFQjCNGWRo1AdR3_tLfD5JHtjklmXB6BaA

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwiKj9OasObUAhUWwWMKHXxBACoQFggoMAA&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql&usg=AFQjCNGg93xh13lQ-TagfAD0cxGZNZmuNg

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwirmdPhrebUAhUL5WMKHU90DesQFggoMAA&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Ffunctions%2Fcast-and-convert-transact-sql&usg=AFQjCNHNQY9TUVm0UAn3-oxNVAa6tHj7qg

    Method

POST

    Parameter

X-Frame-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0ahUKEwjA4N6olObUAhUTHGMKHVf1CFwQFgg0MAI&url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F5622158%2Fsql-server-date-vs-smalldatetime&usg=AFQjCNEKJOCB5dHYHt2-IEsq5v1f72mkGw

    Method

POST

    Parameter

X-Frame-Options

Instances

22

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://www.sqlservercentral.com/Forums/262686/The-conversion-from-datetime-data-type-to-smalldatetime-data-type-resulted-in-a-smalldatetime-overflow-error

    Method

GET

    Parameter

X-Frame-Options

Instances

1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Medium (Medium)X-Frame-Options Header Not Set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URL

https://www.youtube.com/embed/GPJtXpgwbSU?vq=hd1080

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.youtube.com/embed/dKvKFdpuBr4?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-0&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.youtube.com/embed/dKvKFdpuBr4?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-6&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.youtube.com/embed/vGm9fmN_9Ws?modestbranding=1&color=white&showinfo=0&controls=1&rel=0

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.youtube.com/embed/dKvKFdpuBr4?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-3&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.youtube.com/embed/_dNKSvP8qWY?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-2&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.youtube.com/embed/_dNKSvP8qWY?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-4&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.youtube.com/embed/_dNKSvP8qWY?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-1&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

X-Frame-Options

URL

https://www.youtube.com/embed/_dNKSvP8qWY?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-5&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

X-Frame-Options

Instances

9

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://0.docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/bind?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=1498853173111&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&RID=rpc&SID=FEF68874CB2DACFF&CI=1&AID=1&TYPE=xmlhttp&zx=kszm5gs3syhw&t=1

    Method

OPTIONS

    Parameter

NID

    Evidence

Set-Cookie: NID

URL

https://0.docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/test?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=-1&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&TYPE=xmlhttp&zx=8zsfiuw5ot0n&t=1

    Method

OPTIONS

    Parameter

NID

    Evidence

Set-Cookie: NID

URL

https://0.docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/bind?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=1498853173111&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&RID=rpc&SID=FEF68874CB2DACFF&CI=1&AID=1&TYPE=xmlhttp&zx=7iypqbvmhdof&t=2

    Method

OPTIONS

    Parameter

NID

    Evidence

Set-Cookie: NID

URL

https://0.docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/bind?id=1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU&sid=c7ee7541bf56334&VER=8&token=AC4w5VgPZMwV4F2iyuFBlEg3tlBXXzZ1uw%3A1498853173534&lsq=1498853173111&u=04043772749664381738&c=1&w=1&gsi=1&smv=27&cimpl=1&RID=rpc&SID=FEF68874CB2DACFF&CI=1&AID=1&TYPE=xmlhttp&zx=i3kf9pjf38i5&t=3

    Method

OPTIONS

    Parameter

NID

    Evidence

Set-Cookie: NID

Instances

4

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://0.gravatar.com/css/hovercard.css?ver=201726y

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://0.gravatar.com/css/services.css?ver=201726y

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://0.gravatar.com/js/gprofiles.js?ver=201726y

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://0.gravatar.com/css/hovercard.css?ver=201726y

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=604800

URL

https://0.gravatar.com/css/services.css?ver=201726y

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=604800

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://1.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22hangouts%22%2C%226%22%3A%22StartPage%22%2C%227%22%3A%22chat_frontend_20170626.09_p0%22%2C%228%22%3Afalse%2C%2213%22%3Afalse%7D&ctype=hangouts&xpc=%7B%22cn%22%3A%228k9Lwx3rah%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2F1.client-channel.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

https://apis.google.com/js/api.js

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/api.js"></script>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://1.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22hangouts%22%2C%226%22%3A%22StartPage%22%2C%227%22%3A%22chat_frontend_20170626.09_p0%22%2C%228%22%3Afalse%2C%2213%22%3Afalse%7D&ctype=hangouts&xpc=%7B%22cn%22%3A%228k9Lwx3rah%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2F1.client-channel.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://10861658.collect.igodigital.com/collect.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&tsent=1498844952.109&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.108&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=5ddd1a00

    Method

GET

    Parameter

Cache-Control

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&s1364877573=true&s2193020509=true&s2874450975=true&tsent=1498844952.615&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.615&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=e9544256

    Method

GET

    Parameter

Cache-Control

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&s1364877573=true&s2193020509=true&s2874450975=true&tsent=1498844952.595&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.595&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=cc49978

    Method

GET

    Parameter

Cache-Control

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&s1364877573=true&s2193020509=true&s2874450975=true&tsent=1498844952.615&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.615&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=e9544256

    Method

GET

    Parameter

end_user_id

    Evidence

Set-Cookie: end_user_id

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&tsent=1498844952.109&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.108&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=5ddd1a00

    Method

GET

    Parameter

end_user_id

    Evidence

Set-Cookie: end_user_id

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&s1364877573=true&s2193020509=true&s2874450975=true&tsent=1498844952.595&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.595&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=cc49978

    Method

GET

    Parameter

fixed_external_148927072_end_user_id

    Evidence

Set-Cookie: fixed_external_148927072_end_user_id

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&tsent=1498844952.109&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.108&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=5ddd1a00

    Method

GET

    Parameter

fixed_external_148927072_end_user_id

    Evidence

Set-Cookie: fixed_external_148927072_end_user_id

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&s1364877573=true&s2193020509=true&s2874450975=true&tsent=1498844952.615&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.615&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=e9544256

    Method

GET

    Parameter

fixed_external_148927072_end_user_id

    Evidence

Set-Cookie: fixed_external_148927072_end_user_id

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&s1364877573=true&s2193020509=true&s2874450975=true&tsent=1498844952.595&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.595&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=cc49978

    Method

GET

    Parameter

end_user_id

    Evidence

Set-Cookie: end_user_id

Instances

6

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&s1364877573=true&s2193020509=true&s2874450975=true&tsent=1498844952.595&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.595&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=cc49978

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&s1364877573=true&s2193020509=true&s2874450975=true&tsent=1498844952.615&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.615&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=e9544256

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&tsent=1498844952.109&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.108&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=5ddd1a00

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&tsent=1498844952.109&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.108&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=5ddd1a00

    Method

GET

    Parameter

end_user_id

    Evidence

Set-Cookie: end_user_id

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&s1364877573=true&s2193020509=true&s2874450975=true&tsent=1498844952.595&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.595&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=cc49978

    Method

GET

    Parameter

fixed_external_148927072_end_user_id

    Evidence

Set-Cookie: fixed_external_148927072_end_user_id

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&s1364877573=true&s2193020509=true&s2874450975=true&tsent=1498844952.615&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.615&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=e9544256

    Method

GET

    Parameter

fixed_external_148927072_end_user_id

    Evidence

Set-Cookie: fixed_external_148927072_end_user_id

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&s1364877573=true&s2193020509=true&s2874450975=true&tsent=1498844952.595&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.595&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=cc49978

    Method

GET

    Parameter

end_user_id

    Evidence

Set-Cookie: end_user_id

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&tsent=1498844952.109&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.108&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=5ddd1a00

    Method

GET

    Parameter

fixed_external_148927072_end_user_id

    Evidence

Set-Cookie: fixed_external_148927072_end_user_id

URL

https://148927072.log.optimizely.com/event?a=148927072&d=148927072&y=false&src=js&s298824400=gc&s298902322=search&s298914081=false&s561560534=none&s1364877573=true&s2193020509=true&s2874450975=true&tsent=1498844952.615&n=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&u=oeu1498844952073r0.4955511701044164&wxhr=true&time=1498844952.615&f=8178288276,7833181205,8179428634,7821590453,8175432512,7825352006,7813922764,7812343164&g=&cx2=e9544256

    Method

GET

    Parameter

end_user_id

    Evidence

Set-Cookie: end_user_id

Instances

6

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=20&partition=-2&clientid=40ad5da&cb=g7ae&idle=67125&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=52&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=18&partition=-2&clientid=40ad5da&cb=r7z&idle=66199&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=50&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=19&partition=-2&clientid=40ad5da&cb=eoaz&idle=66662&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=51&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=32&partition=-2&clientid=40ad5da&cb=3dd8&idle=70839&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=64&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=9&partition=-2&clientid=40ad5da&cb=7nvk&idle=77066&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=78&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=22&partition=-2&clientid=40ad5da&cb=pfw&idle=67392&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=54&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=15&partition=-2&clientid=40ad5da&cb=76uq&idle=79857&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=84&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=23&partition=-2&clientid=40ad5da&cb=73to&idle=83564&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=92&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=27&partition=-2&clientid=40ad5da&cb=foz0&idle=68521&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=59&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=8&partition=-2&clientid=40ad5da&cb=5jjy&idle=76601&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=77&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=24&partition=-2&clientid=40ad5da&cb=agja&idle=84027&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=93&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=16&partition=-2&clientid=40ad5da&cb=9oca&idle=65274&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=48&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=12&partition=-2&clientid=40ad5da&cb=iyj1&idle=63425&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=44&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=16&partition=-2&clientid=40ad5da&cb=lv6q&idle=80320&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=85&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=17&partition=-2&clientid=40ad5da&cb=5ysy&idle=65737&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=49&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=26&partition=-2&clientid=40ad5da&cb=7p5g&idle=84953&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=95&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=6&partition=-2&clientid=40ad5da&cb=by7d&idle=75671&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=75&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=11&partition=-2&clientid=40ad5da&cb=i09f&idle=62961&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=43&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=19&partition=-2&clientid=40ad5da&cb=28h&idle=81711&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=88&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://4-edge-chat.messenger.com/pull?channel=p_49903178&seq=0&partition=-2&clientid=40ad5da&cb=j61y&idle=73349&qp=y&cap=8&pws=fresh&isq=1547&msgs_recv=69&uid=49903178&viewer_uid=49903178&sticky_token=112&sticky_pool=ash3c07_chat-proxy

    Method

GET

    Parameter

X-Content-Type-Options

Instances

51

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://5406241.fls.doubleclick.net/activityi;dc_pre=CNHIoJiG5tQCFQ6OfgodM6YIYw;src=5406241;type=remar0;cat=trell0;u2=trello;u3=5857f67f-343e-4c09-8947-885ecdd03ac9;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=8480951065438440

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://5406241.fls.doubleclick.net/activityi;dc_pre=CMLRupaG5tQCFc2VfgoduW8Brw;src=5406241;type=trell0;cat=trell0;u2=trello;u3=9f288a64296073d6;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=394339802540451

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://5406241.fls.doubleclick.net/activityi;dc_pre=CMWs_76F5tQCFdVifgod5A4D6A;src=5406241;type=remar0;cat=trell0;u2=trello;u3=5857f67f-343e-4c09-8947-885ecdd03ac9;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2565392734378304.5

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://5406241.fls.doubleclick.net/activityi;dc_pre=CPnfyLyO5tQCFc-TfgodMtkOnA;src=5406241;type=remar0;cat=trell0;u2=trello;u3=5857f67f-343e-4c09-8947-885ecdd03ac9;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=9736719691638176

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://5406241.fls.doubleclick.net/activityi;dc_pre=CLaavJWG5tQCFQ2Mfgod2b8MBA;src=5406241;type=trell0;cat=trell0;u2=trello;u3=8eac44fd3d5fbec8;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=3819187072670740

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

Instances

5

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://a.trellocdn.com/css/64d3873580c6e6ca3d87555387fdc0a1/core.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://a.trellocdn.com/js/0a5b55922c036780f28ba28f0034a174/app.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://a.trellocdn.com/js/b7d0b1ed0fd6eeee0596d17fc66387ee/ltp.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://a.trellocdn.com/js/b8be351d9d3de23122c10ab3cff5a799/locale.en-US.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://a.trellocdn.com/js/879fbf9d53b88b460f859f1b1e178336/quickload.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://a.trellocdn.com/css/5ab0307715b683217281cc7188cb7192/images.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://a.trellocdn.com/fonts/dffc8173a96c4bb2ff17961efb603c95/trellicons.woff

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://a.trellocdn.com/js/2c7cca50014d4d8ce374fb154965d182/snowplow.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

8

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://a.trellocdn.com/css/64d3873580c6e6ca3d87555387fdc0a1/core.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=31361300

URL

https://a.trellocdn.com/css/5ab0307715b683217281cc7188cb7192/images.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=30938504

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://aax-us-east.amazon-adsystem.com/x/getad?pa=B00UZHT432&c=100&pc=228013&pt=Detail&u=https%3A%2F%2Fwww.amazon.com&src=501&sz=245x250&ad-sid=010133d18f4143f704417b39cb25b60f784a49670761a44acff3672a4aa1d0de3223&pj=%7B%22asins%22%3A%22B00UZHT432%22%2C%22st%22%3A%22amzn.us.dp.home%22%2C%22zn%22%3A%22tools_hardware%22%2C%22prid%22%3A%2201019ea6c17ea4b268a8f59ca66743781bf8621e456b0b6241b404ab1afa0e64d095%22%2C%22bn%22%3A%22228013%22%7D&ad-uid=0101d72c683f414b7751f4e0defe82f73e9ab3937667d30a12785ffb97202d3080ab&slot=ams-detail-right-v2

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fdrive.google.com&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Ftrello.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fconsole.developers.google.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay609015277&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=1188900850%7C0.3663509669&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fhangouts.google.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCN-gGvjEWU-zXLYV7GJfMM0J9oEqQ

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=http%3A%2F%2Fwww.bankshot.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fdocs.google.com&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay662831281&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=436729601%7C0.13306347&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay1282987641&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=674248473%7C0.4265463295&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

X-Content-Type-Options

Instances

9

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay662831281&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=436729601%7C0.13306347&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

https://ssl.gstatic.com/accounts/o/2494075490-postmessage.js

    Evidence

<script src='https://ssl.gstatic.com/accounts/o/2494075490-postmessage.js'></script>

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fdocs.google.com&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

https://ssl.gstatic.com/accounts/o/164542457-postmessagerelay.js

    Evidence

<script src='https://ssl.gstatic.com/accounts/o/164542457-postmessagerelay.js'></script>

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Ftrello.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

https://apis.google.com/js/rpc:shindig_random.js?onload=init

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/rpc:shindig_random.js?onload=init"></script>

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay662831281&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=436729601%7C0.13306347&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

https://apis.google.com/js/rpc:shindig_random.js?onload=init

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/rpc:shindig_random.js?onload=init"></script>

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=http%3A%2F%2Fwww.bankshot.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

https://ssl.gstatic.com/accounts/o/164542457-postmessagerelay.js

    Evidence

<script src='https://ssl.gstatic.com/accounts/o/164542457-postmessagerelay.js'></script>

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay1282987641&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=674248473%7C0.4265463295&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

https://apis.google.com/js/rpc:shindig_random.js?onload=init

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/rpc:shindig_random.js?onload=init"></script>

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay609015277&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=1188900850%7C0.3663509669&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

https://apis.google.com/js/rpc:shindig_random.js?onload=init

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/rpc:shindig_random.js?onload=init"></script>

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay662831281&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=436729601%7C0.13306347&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

https://apis.google.com/js/rpc:shindig_random.js?onload

    Attack

init

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/rpc:shindig_random.js?onload=init"></script>

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fconsole.developers.google.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

https://ssl.gstatic.com/accounts/o/164542457-postmessagerelay.js

    Evidence

<script src='https://ssl.gstatic.com/accounts/o/164542457-postmessagerelay.js'></script>

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fconsole.developers.google.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

https://apis.google.com/js/rpc:shindig_random.js?onload=init

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/rpc:shindig_random.js?onload=init"></script>

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay1282987641&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=674248473%7C0.4265463295&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

https://apis.google.com/js/rpc:shindig_random.js?onload

    Attack

init

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/rpc:shindig_random.js?onload=init"></script>

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fhangouts.google.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCN-gGvjEWU-zXLYV7GJfMM0J9oEqQ

    Method

GET

    Parameter

https://ssl.gstatic.com/accounts/o/164542457-postmessagerelay.js

    Evidence

<script src='https://ssl.gstatic.com/accounts/o/164542457-postmessagerelay.js'></script>

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fdocs.google.com&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

https://apis.google.com/js/rpc:shindig_random.js?onload=init

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/rpc:shindig_random.js?onload=init"></script>

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=http%3A%2F%2Fwww.bankshot.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

https://apis.google.com/js/rpc:shindig_random.js?onload=init

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/rpc:shindig_random.js?onload=init"></script>

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Ftrello.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

https://ssl.gstatic.com/accounts/o/164542457-postmessagerelay.js

    Evidence

<script src='https://ssl.gstatic.com/accounts/o/164542457-postmessagerelay.js'></script>

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay1282987641&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=674248473%7C0.4265463295&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

https://ssl.gstatic.com/accounts/o/2494075490-postmessage.js

    Evidence

<script src='https://ssl.gstatic.com/accounts/o/2494075490-postmessage.js'></script>

URL

https://accounts.google.com/o/oauth2/auth?client_id=28300235456-b801aqbc1i8luet9arr7sgll09t6eep9.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.readonly&immediate=true&include_granted_scopes=true&proxy=oauth2relay609015277&redirect_uri=postmessage&origin=https%3A%2F%2Ftrello.com&response_type=token&gsiwebsdk=1&state=1188900850%7C0.3663509669&authuser=0&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

https://ssl.gstatic.com/accounts/o/2494075490-postmessage.js

    Evidence

<script src='https://ssl.gstatic.com/accounts/o/2494075490-postmessage.js'></script>

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fdrive.google.com&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

https://ssl.gstatic.com/accounts/o/164542457-postmessagerelay.js

    Evidence

<script src='https://ssl.gstatic.com/accounts/o/164542457-postmessagerelay.js'></script>

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Ftrello.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

https://apis.google.com/js/rpc:shindig_random.js?onload

    Attack

init

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/rpc:shindig_random.js?onload=init"></script>

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fhangouts.google.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCN-gGvjEWU-zXLYV7GJfMM0J9oEqQ

    Method

GET

    Parameter

https://apis.google.com/js/rpc:shindig_random.js?onload=init

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/rpc:shindig_random.js?onload=init"></script>

Instances

21

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=http%3A%2F%2Fwww.bankshot.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=86400

URL

https://accounts.google.com/b/0/ListAccounts?listPages=0&pid=331&mo=1&mn=1&hl=en&origin=https%3A%2F%2Fdevelopers.google.com

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fconsole.developers.google.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=86400

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fdocs.google.com&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=86400

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Ftrello.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.igYmnD2Ihxg.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCPgyOJRbypaXgvHivIX-Rv839SwUg

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=86400

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fhangouts.google.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCN-gGvjEWU-zXLYV7GJfMM0J9oEqQ

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=86400

URL

https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fdrive.google.com&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=86400

Instances

7

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://ams-ads-cornerstone-creatives.s3.amazonaws.com/4693458?AWSAccessKeyId=AKIAJ5KYEYPALY4QCGYQ&Expires=2145916800&Signature=d6Q9G5uES5tP9QGI8yMj%2FY5I%2FTc%3D

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://api-iam.intercom.io/messenger/web/ping

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://api.amplitude.com/

    Method

POST

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://api.amplitude.com/

    Method

POST

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://api.amplitude.com/

    Method

POST

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://api.demandbase.com/api/v2/ip.json?token=09dd7a8bed725339af3ce985f86800730b42b5cf

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://api.ipify.org/?format=json

    Method

GET

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://api.ipify.org/?format=json

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMDEmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MjEwMjkmY2hhcnQ9MSZ0aW1ldGFibGU9MSIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9hcHAvcmVwb3J0cyIsIiRlbGVtZW50cyI6IFsKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhYnN0cmFjdF9saW5rLWxhYmVsIiwKICAgICJyZXBvcnRzX3RhYnMtYnV0dG9uLWxhYmVsIgpdLCJ0YWdfbmFtZSI6ICJzcGFuIiwiYXR0cl9fY2xhc3MiOiAiYWJzdHJhY3RfbGluay1sYWJlbCByZXBvcnRzX3RhYnMtYnV0dG9uLWxhYmVsIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhYnN0cmFjdF9saW5rIiwKICAgICJyZXBvcnRzX3RhYnMtYnV0dG9uIiwKICAgICJhYnN0cmFjdF9saW5rLWJ1dHRvbiIKXSwidGFnX25hbWUiOiAiYnV0dG9uIiwiYXR0cl9fdHlwZSI6ICJidXR0b24iLCJhdHRyX19jbGFzcyI6ICJhYnN0cmFjdF9saW5rIHJlcG9ydHNfdGFicy1idXR0b24gYWJzdHJhY3RfbGluay1idXR0b24iLCJhdHRyX190aXRsZSI6ICJNZW1iZXJzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzX3RhYnMtaXRlbSIKXSwidGFnX25hbWUiOiAibGkiLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzX3RhYnMtaXRlbSIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0c190YWJzLXRhYnMiCl0sInRhZ19uYW1lIjogInVsIiwiYXR0cl9fY2xhc3MiOiAicmVwb3J0c190YWJzLXRhYnMiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInJlcG9ydHNfdGFicy10aXRsZV93cmFwcGVyIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzX3RhYnMtdGl0bGVfd3JhcHBlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0c190YWJzIgpdLCJ0YWdfbmFtZSI6ICJzZWN0aW9uIiwiYXR0cl9fY2xhc3MiOiAicmVwb3J0c190YWJzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzLXRhYl9jaGFydCIKXSwidGFnX25hbWUiOiAic2VjdGlvbiIsImF0dHJfX2NsYXNzIjogInJlcG9ydHMtdGFiX2NoYXJ0IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzLWNvbnRlbnQiCl0sInRhZ19uYW1lIjogInNlY3Rpb24iLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnQiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInBhZ2Vfd3JhcHBlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAicGFnZV93cmFwcGVyIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAtbWFpbiIKXSwidGFnX25hbWUiOiAibWFpbiIsImF0dHJfX2NsYXNzIjogImFwcC1tYWluIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImFwcCIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAidWkiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2RhdGEtcmVhY3Ryb290IjogIiIsImF0dHJfX2NsYXNzIjogInVpIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtY2FudmFzIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtY2FudmFzIiwiYXR0cl9faWQiOiAiY2FudmFzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtYm9keSIKXSwidGFnX25hbWUiOiAiYm9keSIsImF0dHJfX2NsYXNzIjogImxheW91dC1ib2R5IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfQpdLCIkZWxfdGV4dCI6ICJNZW1iZXJzIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMX19&ip=1&_=1498863445287

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9Mjk3NzYtNjkyNDUtNzI5NjgtNzAzNzYtMjEwMjktMjEwMzEtMzk1MDItMjEwMjgtMzQ4MzQtNjQ2MTEtMjI2NDgtMjEwMzAmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9hcHAvcmVwb3J0cyIsIiRlbGVtZW50cyI6IFsKICAgIHsiY2xhc3NlcyI6IFsKICAgICJkcm9wZG93bi10YWdfd3JhcHBlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24tdGFnX3dyYXBwZXIiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duLWJ1dHRvbiIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMtYnV0dG9uIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJkcm9wZG93bi1idXR0b24gcmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMtYnV0dG9uIiwiYXR0cl9fdGl0bGUiOiAiUHJvamVjdHMiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duIiwKICAgICJpcy1ub3JtYWwiLAogICAgImlzLW11bHRpIiwKICAgICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cyIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24gaXMtbm9ybWFsIGlzLW11bHRpIHJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAyfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJmaWx0ZXIiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImZpbHRlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnMiCl0sInRhZ19uYW1lIjogImhlYWRlciIsImF0dHJfX2NsYXNzIjogInJlcG9ydHMtY29udGVudF9maWx0ZXJzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzLWNvbnRlbnQiCl0sInRhZ19uYW1lIjogInNlY3Rpb24iLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnQiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInBhZ2Vfd3JhcHBlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAicGFnZV93cmFwcGVyIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAtbWFpbiIKXSwidGFnX25hbWUiOiAibWFpbiIsImF0dHJfX2NsYXNzIjogImFwcC1tYWluIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImFwcCIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAidWkiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2RhdGEtcmVhY3Ryb290IjogIiIsImF0dHJfX2NsYXNzIjogInVpIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtY2FudmFzIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtY2FudmFzIiwiYXR0cl9faWQiOiAiY2FudmFzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtYm9keSIKXSwidGFnX25hbWUiOiAiYm9keSIsImF0dHJfX2NsYXNzIjogImxheW91dC1ib2R5IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfQpdLCIkZWxfdGV4dCI6ICJHRU5FUkFMQ29tbWV4aXNJbnNwaXJlIExpdmVHaWxjaHJpc3QgYW5kIFNvYW1lc0dhbGlsZW9Db29rIFBvbGl0aWNhbEJEcnlCbHVlTmlsZSBBcHBZZXRpaVNjaG9vbEluaXRpYXRpdmVHcmF5IFN0cmVldFZhcmljayIsInRva2VuIjogIjI5YWJjZTQ3MjI1MWZmZWUyODlkMDJiNDc4ZDc5YzI0IiwiJF9fYyI6IDF9fQ%3D%3D&ip=1&_=1498863366542

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJ0cmFja2VyLXJlcG9ydHNfc2V0dGluZ3MiLCJwcm9wZXJ0aWVzIjogeyIkb3MiOiAiTWFjIE9TIFgiLCIkYnJvd3NlciI6ICJDaHJvbWUiLCIkY3VycmVudF91cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yOTc3Ni02OTI0NS03Mjk2OC03MDM3Ni0yMTAyOS0yMTAzMS0zOTUwMi0yMTAyOC0zNDgzNC02NDYxMS0yMjY0OC0yMTAzMCZjaGFydD0xJnRpbWV0YWJsZT0yIiwiJGJyb3dzZXJfdmVyc2lvbiI6IDU5LCIkc2NyZWVuX2hlaWdodCI6IDEwODAsIiRzY3JlZW5fd2lkdGgiOiAxOTIwLCJtcF9saWIiOiAiU2VnbWVudDogd2ViIiwiJGxpYl92ZXJzaW9uIjogIjIuMTIuMCIsImRpc3RpbmN0X2lkIjogInRyYWNrZXItMTA4NDMiLCIkaW5pdGlhbF9yZWZlcnJlciI6ICIkZGlyZWN0IiwiJGluaXRpYWxfcmVmZXJyaW5nX2RvbWFpbiI6ICIkZGlyZWN0IiwibXBfbmFtZV90YWciOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsImlkIjogInRyYWNrZXItMTA4NDMiLCIkZW1haWwiOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsIiRmaXJzdF9uYW1lIjogIkJlcm50IiwiJGxhc3RfbmFtZSI6ICJHdWRtZXN0YWQiLCIkbmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJkaXNwbGF5TmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJzb3VyY2UiOiAid2ViIiwiYXZhdGFyIjogeyJ0eXBlIjogImF2YXRhciIsImltYWdlX3VybCI6ICJodHRwczovL3NlY3VyZS5ncmF2YXRhci5jb20vYXZhdGFyL2ZiOWQyODQwODE4NTkyMmQxOTRkNzIzNjMwNDY3ZjQ1P2Q9YmxhbmsifSwidXNlZF9kZXNrdG9wIjogdHJ1ZSwidXNlZF93ZWIiOiB0cnVlLCJsYXN0X2FjdGl2aXR5X3RpbWUiOiAiMjAxNy0wNi0wNVQwMDowMDowMC4wMDBaIiwic2VudF9pbnZpdGF0aW9uc19jb3VudCI6IDAsInJlYWxfc2lnbmVkX3VwIjogIjIwMTYtMTEtMThUMDA6MDA6MDAuMDAwWiIsInByb2plY3RzX2NvdW50IjogMTIsImRhdGVSYW5nZSI6IDcsInN0YXJ0RGF0ZSI6ICIyMDE3LTA2LTI0VDAwOjAwOjAwLjAwMFoiLCJlbmREYXRlIjogIjIwMTctMDYtMzBUMDA6MDA6MDAuMDAwWiIsIm51bWJlck9mUHJvamVjdHMiOiAxMiwibnVtYmVyT2ZXb3JrZXJzIjogNCwiZG9jdW1lbnRUaXRsZSI6ICJSZXBvcnRzIHwgVG9wVHJhY2tlciIsInVybCI6ICJodHRwczovL3RyYWNrZXIudG9wdGFsLmNvbS9hcHAvcmVwb3J0cz9zdGFydD0yMDE3LTA2LTI0JmVuZD0yMDE3LTA2LTMwJndvcmtlcnM9YWxsJnByb2plY3RzPTI5Nzc2LTY5MjQ1LTcyOTY4LTcwMzc2LTIxMDI5LTIxMDMxLTM5NTAyLTIxMDI4LTM0ODM0LTY0NjExLTIyNjQ4LTIxMDMwJmNoYXJ0PTEmdGltZXRhYmxlPTIiLCJ1cmxTZWFyY2giOiAiP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9Mjk3NzYtNjkyNDUtNzI5NjgtNzAzNzYtMjEwMjktMjEwMzEtMzk1MDItMjEwMjgtMzQ4MzQtNjQ2MTEtMjI2NDgtMjEwMzAmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsInRpbWVab25lIjogIkFtZXJpY2EvTG9zX0FuZ2VsZXMiLCJ1c2VyX2FnZW50IjogeyJjbGllbnQiOiAiV2ViIiwib3NfdHlwZSI6ICJtYWMiLCJicm93c2VyX3R5cGUiOiAiY2hyb21lIn0sInRva2VuIjogIjI5YWJjZTQ3MjI1MWZmZWUyODlkMDJiNDc4ZDc5YzI0IiwiJF9fYyI6IDB9fQ%3D%3D&ip=1&_=1498863363778

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJMb2FkZWQgYSBQYWdlIiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMDEmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MjEwMjkmY2hhcnQ9MiZ0aW1ldGFibGU9MSIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCJuYW1lIjogInJlcG9ydHMiLCJwYXRoIjogIi9hcHAvcmVwb3J0cyIsInJlZmVycmVyIjogIiIsInNlYXJjaCI6ICI%2Fc3RhcnQ9MjAxNy0wNi0wMSZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yMTAyOSZjaGFydD0yJnRpbWV0YWJsZT0xIiwidGl0bGUiOiAiUmVwb3J0cyB8IFRvcFRyYWNrZXIiLCJ1cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0wMSZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yMTAyOSZjaGFydD0yJnRpbWV0YWJsZT0xIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMH19&ip=1&_=1498863445365

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJMb2FkZWQgYSBQYWdlIiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL3NpZ25pbj9yZXR1cm4tdG89JTJGYXBwJTJGcmVwb3J0cyIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCJuYW1lIjogInNpZ24taW4iLCJwYXRoIjogIi9zaWduaW4iLCJyZWZlcnJlciI6ICIiLCJzZWFyY2giOiAiP3JldHVybi10bz0lMkZhcHAlMkZyZXBvcnRzIiwidGl0bGUiOiAiUmVwb3J0cyB8IFRvcFRyYWNrZXIiLCJ1cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vc2lnbmluP3JldHVybi10bz0lMkZhcHAlMkZyZXBvcnRzIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMH19&ip=1&_=1498863338176

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL3NpZ25pbj9yZXR1cm4tdG89JTJGYXBwJTJGcmVwb3J0cyIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkdGl0bGUiOiAiU2lnbiBJbiB8IFRvcFRyYWNrZXIiLCIkZXZlbnRfdHlwZSI6ICJwYWdldmlldyIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9zaWduaW4iLCJ0b2tlbiI6ICIyOWFiY2U0NzIyNTFmZmVlMjg5ZDAyYjQ3OGQ3OWMyNCIsIiRfX2MiOiAxfX0%3D&ip=1&_=1498863341716

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9Mjk3NzYmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9hcHAvcmVwb3J0cyIsIiRlbGVtZW50cyI6IFsKICAgIHsiY2xhc3NlcyI6IFsKICAgICJkcm9wZG93bi10YWdfd3JhcHBlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24tdGFnX3dyYXBwZXIiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duLWJ1dHRvbiIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMtYnV0dG9uIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJkcm9wZG93bi1idXR0b24gcmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMtYnV0dG9uIiwiYXR0cl9fdGl0bGUiOiAiUHJvamVjdHMiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duIiwKICAgICJpcy1ub3JtYWwiLAogICAgImlzLW11bHRpIiwKICAgICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cyIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24gaXMtbm9ybWFsIGlzLW11bHRpIHJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAyfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJmaWx0ZXIiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImZpbHRlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnMiCl0sInRhZ19uYW1lIjogImhlYWRlciIsImF0dHJfX2NsYXNzIjogInJlcG9ydHMtY29udGVudF9maWx0ZXJzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzLWNvbnRlbnQiCl0sInRhZ19uYW1lIjogInNlY3Rpb24iLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnQiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInBhZ2Vfd3JhcHBlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAicGFnZV93cmFwcGVyIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAtbWFpbiIKXSwidGFnX25hbWUiOiAibWFpbiIsImF0dHJfX2NsYXNzIjogImFwcC1tYWluIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImFwcCIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAidWkiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2RhdGEtcmVhY3Ryb290IjogIiIsImF0dHJfX2NsYXNzIjogInVpIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtY2FudmFzIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtY2FudmFzIiwiYXR0cl9faWQiOiAiY2FudmFzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtYm9keSIKXSwidGFnX25hbWUiOiAiYm9keSIsImF0dHJfX2NsYXNzIjogImxheW91dC1ib2R5IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfQpdLCIkZWxfdGV4dCI6ICJHRU5FUkFMIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMX19&ip=1&_=1498863362560

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJMb2FkZWQgYSBQYWdlIiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzIiwiJGJyb3dzZXJfdmVyc2lvbiI6IDU5LCIkc2NyZWVuX2hlaWdodCI6IDEwODAsIiRzY3JlZW5fd2lkdGgiOiAxOTIwLCJtcF9saWIiOiAiU2VnbWVudDogd2ViIiwiJGxpYl92ZXJzaW9uIjogIjIuMTIuMCIsImRpc3RpbmN0X2lkIjogInRyYWNrZXItMTA4NDMiLCIkaW5pdGlhbF9yZWZlcnJlciI6ICIkZGlyZWN0IiwiJGluaXRpYWxfcmVmZXJyaW5nX2RvbWFpbiI6ICIkZGlyZWN0IiwibXBfbmFtZV90YWciOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsImlkIjogInRyYWNrZXItMTA4NDMiLCIkZW1haWwiOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsIiRmaXJzdF9uYW1lIjogIkJlcm50IiwiJGxhc3RfbmFtZSI6ICJHdWRtZXN0YWQiLCIkbmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJkaXNwbGF5TmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJzb3VyY2UiOiAid2ViIiwiYXZhdGFyIjogeyJ0eXBlIjogImF2YXRhciIsImltYWdlX3VybCI6ICJodHRwczovL3NlY3VyZS5ncmF2YXRhci5jb20vYXZhdGFyL2ZiOWQyODQwODE4NTkyMmQxOTRkNzIzNjMwNDY3ZjQ1P2Q9YmxhbmsifSwidXNlZF9kZXNrdG9wIjogdHJ1ZSwidXNlZF93ZWIiOiB0cnVlLCJsYXN0X2FjdGl2aXR5X3RpbWUiOiAiMjAxNy0wNi0wNVQwMDowMDowMC4wMDBaIiwic2VudF9pbnZpdGF0aW9uc19jb3VudCI6IDAsInJlYWxfc2lnbmVkX3VwIjogIjIwMTYtMTEtMThUMDA6MDA6MDAuMDAwWiIsInByb2plY3RzX2NvdW50IjogMTIsIm5hbWUiOiAicmVwb3J0cyIsInBhdGgiOiAiL2FwcC9yZXBvcnRzIiwicmVmZXJyZXIiOiAiIiwic2VhcmNoIjogIiIsInRpdGxlIjogIlNpZ24gSW4gfCBUb3BUcmFja2VyIiwidXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMH19&ip=1&_=1498863350160

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/engage/?data=eyIkc2V0IjogeyIkb3MiOiAiTWFjIE9TIFgiLCIkYnJvd3NlciI6ICJDaHJvbWUiLCIkYnJvd3Nlcl92ZXJzaW9uIjogNTksIiRpbml0aWFsX3JlZmVycmVyIjogIiRkaXJlY3QiLCIkaW5pdGlhbF9yZWZlcnJpbmdfZG9tYWluIjogIiRkaXJlY3QiLCIkZW1haWwiOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsIiRmaXJzdF9uYW1lIjogIkJlcm50IiwiJGxhc3RfbmFtZSI6ICJHdWRtZXN0YWQiLCIkbmFtZSI6ICJCZXJudCBHdWRtZXN0YWQifSwiJHRva2VuIjogIjI5YWJjZTQ3MjI1MWZmZWUyODlkMDJiNDc4ZDc5YzI0IiwiJGRpc3RpbmN0X2lkIjogInRyYWNrZXItMTA4NDMifQ%3D%3D&ip=1&_=1498863350056

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJMb2FkZWQgYSBQYWdlIiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MzQ4MzQmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCJuYW1lIjogInJlcG9ydHMiLCJwYXRoIjogIi9hcHAvcmVwb3J0cyIsInJlZmVycmVyIjogIiIsInNlYXJjaCI6ICI%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0zNDgzNCZjaGFydD0xJnRpbWV0YWJsZT0yIiwidGl0bGUiOiAiUmVwb3J0cyB8IFRvcFRyYWNrZXIiLCJ1cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0zNDgzNCZjaGFydD0xJnRpbWV0YWJsZT0yIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMX19&ip=1&_=1498863370631

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJtcF9wYWdlX3ZpZXciLCJwcm9wZXJ0aWVzIjogeyIkb3MiOiAiTWFjIE9TIFgiLCIkYnJvd3NlciI6ICJDaHJvbWUiLCIkY3VycmVudF91cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vc2lnbmluP3JldHVybi10bz0lMkZhcHAlMkZyZXBvcnRzIiwiJGJyb3dzZXJfdmVyc2lvbiI6IDU5LCIkc2NyZWVuX2hlaWdodCI6IDEwODAsIiRzY3JlZW5fd2lkdGgiOiAxOTIwLCJtcF9saWIiOiAiU2VnbWVudDogd2ViIiwiJGxpYl92ZXJzaW9uIjogIjIuMTIuMCIsImRpc3RpbmN0X2lkIjogInRyYWNrZXItMTA4NDMiLCIkaW5pdGlhbF9yZWZlcnJlciI6ICIkZGlyZWN0IiwiJGluaXRpYWxfcmVmZXJyaW5nX2RvbWFpbiI6ICIkZGlyZWN0IiwibXBfbmFtZV90YWciOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsImlkIjogInRyYWNrZXItMTA4NDMiLCIkZW1haWwiOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsIiRmaXJzdF9uYW1lIjogIkJlcm50IiwiJGxhc3RfbmFtZSI6ICJHdWRtZXN0YWQiLCIkbmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJkaXNwbGF5TmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJzb3VyY2UiOiAid2ViIiwiYXZhdGFyIjogeyJ0eXBlIjogImF2YXRhciIsImltYWdlX3VybCI6ICJodHRwczovL3NlY3VyZS5ncmF2YXRhci5jb20vYXZhdGFyL2ZiOWQyODQwODE4NTkyMmQxOTRkNzIzNjMwNDY3ZjQ1P2Q9YmxhbmsifSwidXNlZF9kZXNrdG9wIjogdHJ1ZSwidXNlZF93ZWIiOiB0cnVlLCJsYXN0X2FjdGl2aXR5X3RpbWUiOiAiMjAxNy0wNi0wNVQwMDowMDowMC4wMDBaIiwic2VudF9pbnZpdGF0aW9uc19jb3VudCI6IDAsInJlYWxfc2lnbmVkX3VwIjogIjIwMTYtMTEtMThUMDA6MDA6MDAuMDAwWiIsInByb2plY3RzX2NvdW50IjogMTIsIm1wX3BhZ2UiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vc2lnbmluP3JldHVybi10bz0lMkZhcHAlMkZyZXBvcnRzIiwibXBfYnJvd3NlciI6ICJDaHJvbWUiLCJtcF9wbGF0Zm9ybSI6ICJNYWMgT1MgWCIsInRva2VuIjogIjI5YWJjZTQ3MjI1MWZmZWUyODlkMDJiNDc4ZDc5YzI0In19&ip=1&_=1498863338161

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJMb2FkZWQgYSBQYWdlIiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJHJlZmVycmVyIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tLz9lbWFpbD1oZHNwZWVkZnJlYWslNDBnbWFpbC5jb20mcGFzc3dvcmQ9ZnhkbDk3JnJlbWVtYmVyX21lPW9uIiwiJHJlZmVycmluZ19kb21haW4iOiAidHJhY2tlci50b3B0YWwuY29tIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL3NpZ25pbiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCJuYW1lIjogInNpZ24taW4iLCJwYXRoIjogIi9zaWduaW4iLCJyZWZlcnJlciI6ICJodHRwczovL3RyYWNrZXIudG9wdGFsLmNvbS8%2FZW1haWw9aGRzcGVlZGZyZWFrJTQwZ21haWwuY29tJnBhc3N3b3JkPWZ4ZGw5NyZyZW1lbWJlcl9tZT1vbiIsInNlYXJjaCI6ICIiLCJ0aXRsZSI6ICJMb2FkaW5nIHwgVG9wVHJhY2tlciIsInVybCI6ICJodHRwczovL3RyYWNrZXIudG9wdGFsLmNvbS9zaWduaW4iLCJ0b2tlbiI6ICIyOWFiY2U0NzIyNTFmZmVlMjg5ZDAyYjQ3OGQ3OWMyNCIsIiRfX2MiOiAxfX0%3D&ip=1&_=1498863349857

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJMb2FkZWQgYSBQYWdlIiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9Mjk3NzYtNjkyNDUtNzI5NjgtNzAzNzYtMjEwMjktMjEwMzEtMzk1MDItMjEwMjgtMzQ4MzQtNjQ2MTEtMjI2NDgtMjEwMzAmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCJuYW1lIjogInJlcG9ydHMiLCJwYXRoIjogIi9hcHAvcmVwb3J0cyIsInJlZmVycmVyIjogIiIsInNlYXJjaCI6ICI%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yOTc3Ni02OTI0NS03Mjk2OC03MDM3Ni0yMTAyOS0yMTAzMS0zOTUwMi0yMTAyOC0zNDgzNC02NDYxMS0yMjY0OC0yMTAzMCZjaGFydD0xJnRpbWV0YWJsZT0yIiwidGl0bGUiOiAiUmVwb3J0cyB8IFRvcFRyYWNrZXIiLCJ1cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yOTc3Ni02OTI0NS03Mjk2OC03MDM3Ni0yMTAyOS0yMTAzMS0zOTUwMi0yMTAyOC0zNDgzNC02NDYxMS0yMjY0OC0yMTAzMCZjaGFydD0xJnRpbWV0YWJsZT0yIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMX19&ip=1&_=1498863363699

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJMb2FkZWQgYSBQYWdlIiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMDEmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MzQ4MzQmY2hhcnQ9MSZ0aW1ldGFibGU9MSIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCJuYW1lIjogInJlcG9ydHMiLCJwYXRoIjogIi9hcHAvcmVwb3J0cyIsInJlZmVycmVyIjogIiIsInNlYXJjaCI6ICI%2Fc3RhcnQ9MjAxNy0wNi0wMSZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0zNDgzNCZjaGFydD0xJnRpbWV0YWJsZT0xIiwidGl0bGUiOiAiUmVwb3J0cyB8IFRvcFRyYWNrZXIiLCJ1cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0wMSZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0zNDgzNCZjaGFydD0xJnRpbWV0YWJsZT0xIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMH19&ip=1&_=1498863386052

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJMb2FkZWQgYSBQYWdlIiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9Mjk3NzYmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCJuYW1lIjogInJlcG9ydHMiLCJwYXRoIjogIi9hcHAvcmVwb3J0cyIsInJlZmVycmVyIjogIiIsInNlYXJjaCI6ICI%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yOTc3NiZjaGFydD0xJnRpbWV0YWJsZT0yIiwidGl0bGUiOiAiUmVwb3J0cyB8IFRvcFRyYWNrZXIiLCJ1cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yOTc3NiZjaGFydD0xJnRpbWV0YWJsZT0yIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMH19&ip=1&_=1498863351395

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MzQ4MzQmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjaGFuZ2UiLCIkY2VfdmVyc2lvbiI6IDEsIiRob3N0IjogInRyYWNrZXIudG9wdGFsLmNvbSIsIiRwYXRobmFtZSI6ICIvYXBwL3JlcG9ydHMiLCIkZWxlbWVudHMiOiBbCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiaW5wdXQiLAogICAgImlzLW5vcm1hbCIsCiAgICAiaXMtY2hlY2tib3giCl0sInRhZ19uYW1lIjogImlucHV0IiwiYXR0cl9fdHlwZSI6ICJjaGVja2JveCIsImF0dHJfX2NsYXNzIjogImlucHV0IGlzLW5vcm1hbCBpcy1jaGVja2JveCIsImF0dHJfX3ZhbHVlIjogIjM0ODM0IiwiYXR0cl9fcGxhY2Vob2xkZXIiOiAiWWV0aSIsImF0dHJfX2lkIjogInJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzLTM0ODM0IiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJpbnB1dC13cmFwcGVyIiwKICAgICJkcm9wZG93bl9pdGVtX2NoZWNrYm94LXdyYXBwZXIiLAogICAgInJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzX2l0ZW1fY2hlY2tib3gtd3JhcHBlciIsCiAgICAiaXMtY2hlY2tib3giLAogICAgImlzLWxhYmVsLXZpc2libGUiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImlucHV0LXdyYXBwZXIgZHJvcGRvd25faXRlbV9jaGVja2JveC13cmFwcGVyIHJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzX2l0ZW1fY2hlY2tib3gtd3JhcHBlciBpcy1jaGVja2JveCBpcy1sYWJlbC12aXNpYmxlIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJkcm9wZG93bl9pdGVtIiwKICAgICJpcy1jaGVja2JveCIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd25faXRlbSBpcy1jaGVja2JveCIsIm50aF9jaGlsZCI6IDEwLCJudGhfb2ZfdHlwZSI6IDEwfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJkcm9wZG93bi1saXN0IiwKICAgICJpcy1vcGVuZWQiLAogICAgImlzLWxlZnQiLAogICAgInJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzLWxpc3QiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImRyb3Bkb3duLWxpc3QgaXMtb3BlbmVkIGlzLWxlZnQgcmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMtbGlzdCIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiZHJvcGRvd24iLAogICAgImlzLW5vcm1hbCIsCiAgICAiaXMtbXVsdGkiLAogICAgInJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJkcm9wZG93biBpcy1ub3JtYWwgaXMtbXVsdGkgcmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDJ9LAogICAgeyJjbGFzc2VzIjogWwogICAgImZpbHRlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZmlsdGVyIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVycyIKXSwidGFnX25hbWUiOiAiaGVhZGVyIiwiYXR0cl9fY2xhc3MiOiAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnMiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInJlcG9ydHMtY29udGVudCIKXSwidGFnX25hbWUiOiAic2VjdGlvbiIsImF0dHJfX2NsYXNzIjogInJlcG9ydHMtY29udGVudCIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicGFnZV93cmFwcGVyIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJwYWdlX3dyYXBwZXIiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImFwcC1tYWluIgpdLCJ0YWdfbmFtZSI6ICJtYWluIiwiYXR0cl9fY2xhc3MiOiAiYXBwLW1haW4iLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImFwcCIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiYXBwIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAyfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJ1aSIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fZGF0YS1yZWFjdHJvb3QiOiAiIiwiYXR0cl9fY2xhc3MiOiAidWkiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImxheW91dC1jYW52YXMiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImxheW91dC1jYW52YXMiLCJhdHRyX19pZCI6ICJjYW52YXMiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImxheW91dC1ib2R5IgpdLCJ0YWdfbmFtZSI6ICJib2R5IiwiYXR0cl9fY2xhc3MiOiAibGF5b3V0LWJvZHkiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9Cl0sIiRlbF90ZXh0IjogIllldGkiLCJ0b2tlbiI6ICIyOWFiY2U0NzIyNTFmZmVlMjg5ZDAyYjQ3OGQ3OWMyNCIsIiRfX2MiOiAwfX0%3D&ip=1&_=1498863370580

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMDEmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MjEwMjkmY2hhcnQ9MSZ0aW1ldGFibGU9MSIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjaGFuZ2UiLCIkY2VfdmVyc2lvbiI6IDEsIiRob3N0IjogInRyYWNrZXIudG9wdGFsLmNvbSIsIiRwYXRobmFtZSI6ICIvYXBwL3JlcG9ydHMiLCIkZWxlbWVudHMiOiBbCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiaW5wdXQiLAogICAgImlzLW5vcm1hbCIsCiAgICAiaXMtY2hlY2tib3giCl0sInRhZ19uYW1lIjogImlucHV0IiwidmFsdWUiOiBbCiAgICAiMzQ4MzQiCl0sImF0dHJfX3R5cGUiOiAiY2hlY2tib3giLCJhdHRyX19jbGFzcyI6ICJpbnB1dCBpcy1ub3JtYWwgaXMtY2hlY2tib3giLCJhdHRyX192YWx1ZSI6ICIzNDgzNCIsImF0dHJfX3BsYWNlaG9sZGVyIjogIllldGkiLCJhdHRyX19pZCI6ICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cy0zNDgzNCIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiaW5wdXQtd3JhcHBlciIsCiAgICAiZHJvcGRvd25faXRlbV9jaGVja2JveC13cmFwcGVyIiwKICAgICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0c19pdGVtX2NoZWNrYm94LXdyYXBwZXIiLAogICAgImlzLWNoZWNrYm94IiwKICAgICJpcy1sYWJlbC12aXNpYmxlIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJpbnB1dC13cmFwcGVyIGRyb3Bkb3duX2l0ZW1fY2hlY2tib3gtd3JhcHBlciByZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0c19pdGVtX2NoZWNrYm94LXdyYXBwZXIgaXMtY2hlY2tib3ggaXMtbGFiZWwtdmlzaWJsZSIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiZHJvcGRvd25faXRlbSIsCiAgICAiaXMtY2hlY2tib3giCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImRyb3Bkb3duX2l0ZW0gaXMtY2hlY2tib3giLCJudGhfY2hpbGQiOiAxMCwibnRoX29mX3R5cGUiOiAxMH0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiZHJvcGRvd24tbGlzdCIsCiAgICAiaXMtb3BlbmVkIiwKICAgICJpcy1sZWZ0IiwKICAgICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cy1saXN0IgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJkcm9wZG93bi1saXN0IGlzLW9wZW5lZCBpcy1sZWZ0IHJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzLWxpc3QiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDJ9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duIiwKICAgICJpcy1ub3JtYWwiLAogICAgImlzLW11bHRpIiwKICAgICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cyIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24gaXMtbm9ybWFsIGlzLW11bHRpIHJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAyfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJmaWx0ZXIiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImZpbHRlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnMiCl0sInRhZ19uYW1lIjogImhlYWRlciIsImF0dHJfX2NsYXNzIjogInJlcG9ydHMtY29udGVudF9maWx0ZXJzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzLWNvbnRlbnQiCl0sInRhZ19uYW1lIjogInNlY3Rpb24iLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnQiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInBhZ2Vfd3JhcHBlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAicGFnZV93cmFwcGVyIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAtbWFpbiIKXSwidGFnX25hbWUiOiAibWFpbiIsImF0dHJfX2NsYXNzIjogImFwcC1tYWluIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImFwcCIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAidWkiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2RhdGEtcmVhY3Ryb290IjogIiIsImF0dHJfX2NsYXNzIjogInVpIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtY2FudmFzIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtY2FudmFzIiwiYXR0cl9faWQiOiAiY2FudmFzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtYm9keSIKXSwidGFnX25hbWUiOiAiYm9keSIsImF0dHJfX2NsYXNzIjogImxheW91dC1ib2R5IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfQpdLCIkZWxfdGV4dCI6ICJZZXRpIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMH19&ip=1&_=1498863436665

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMDEmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MjEwMjkmY2hhcnQ9MSZ0aW1ldGFibGU9MSIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9hcHAvcmVwb3J0cyIsIiRlbGVtZW50cyI6IFsKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzLWNvbnRlbnQiCl0sInRhZ19uYW1lIjogInNlY3Rpb24iLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnQiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInBhZ2Vfd3JhcHBlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAicGFnZV93cmFwcGVyIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAtbWFpbiIKXSwidGFnX25hbWUiOiAibWFpbiIsImF0dHJfX2NsYXNzIjogImFwcC1tYWluIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImFwcCIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAidWkiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2RhdGEtcmVhY3Ryb290IjogIiIsImF0dHJfX2NsYXNzIjogInVpIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtY2FudmFzIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtY2FudmFzIiwiYXR0cl9faWQiOiAiY2FudmFzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtYm9keSIKXSwidGFnX25hbWUiOiAiYm9keSIsImF0dHJfX2NsYXNzIjogImxheW91dC1ib2R5IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfQpdLCIkZWxfdGV4dCI6ICJQcm9qZWN0c0dhbGlsZW9TZWxlY3QgYWxsIFByb2plY3RzQ29tbWV4aXNHRU5FUkFMSW5zcGlyZSBMaXZlR2lsY2hyaXN0IGFuZCBTb2FtZXNHYWxpbGVvQ29vayBQb2xpdGljYWxCRHJ5Qmx1ZU5pbGUgQXBwWWV0aWlTY2hvb2xJbml0aWF0aXZlR3JheSBTdHJlZXRWYXJpY2tDbG9zZU1lbWJlcnNCZXJudCBHdWRtZXN0YWRTdGV2ZSBTdXp1a2lKZXNzaWVEYXZpZCBCdWNoYW5hblNlbGVjdCBhbGwgTWVtYmVyc0Jlcm50IEd1ZG1lc3RhZFN0ZXZlIFMiLCJ0b2tlbiI6ICIyOWFiY2U0NzIyNTFmZmVlMjg5ZDAyYjQ3OGQ3OWMyNCIsIiRfX2MiOiAxfX0%3D&ip=1&_=1498863437645

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJ0cmFja2VyLXJlcG9ydHNfc2V0dGluZ3MiLCJwcm9wZXJ0aWVzIjogeyIkb3MiOiAiTWFjIE9TIFgiLCIkYnJvd3NlciI6ICJDaHJvbWUiLCIkY3VycmVudF91cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yOTc3NiZjaGFydD0xJnRpbWV0YWJsZT0yIiwiJGJyb3dzZXJfdmVyc2lvbiI6IDU5LCIkc2NyZWVuX2hlaWdodCI6IDEwODAsIiRzY3JlZW5fd2lkdGgiOiAxOTIwLCJtcF9saWIiOiAiU2VnbWVudDogd2ViIiwiJGxpYl92ZXJzaW9uIjogIjIuMTIuMCIsImRpc3RpbmN0X2lkIjogInRyYWNrZXItMTA4NDMiLCIkaW5pdGlhbF9yZWZlcnJlciI6ICIkZGlyZWN0IiwiJGluaXRpYWxfcmVmZXJyaW5nX2RvbWFpbiI6ICIkZGlyZWN0IiwibXBfbmFtZV90YWciOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsImlkIjogInRyYWNrZXItMTA4NDMiLCIkZW1haWwiOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsIiRmaXJzdF9uYW1lIjogIkJlcm50IiwiJGxhc3RfbmFtZSI6ICJHdWRtZXN0YWQiLCIkbmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJkaXNwbGF5TmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJzb3VyY2UiOiAid2ViIiwiYXZhdGFyIjogeyJ0eXBlIjogImF2YXRhciIsImltYWdlX3VybCI6ICJodHRwczovL3NlY3VyZS5ncmF2YXRhci5jb20vYXZhdGFyL2ZiOWQyODQwODE4NTkyMmQxOTRkNzIzNjMwNDY3ZjQ1P2Q9YmxhbmsifSwidXNlZF9kZXNrdG9wIjogdHJ1ZSwidXNlZF93ZWIiOiB0cnVlLCJsYXN0X2FjdGl2aXR5X3RpbWUiOiAiMjAxNy0wNi0wNVQwMDowMDowMC4wMDBaIiwic2VudF9pbnZpdGF0aW9uc19jb3VudCI6IDAsInJlYWxfc2lnbmVkX3VwIjogIjIwMTYtMTEtMThUMDA6MDA6MDAuMDAwWiIsInByb2plY3RzX2NvdW50IjogMTIsImRhdGVSYW5nZSI6IDcsInN0YXJ0RGF0ZSI6ICIyMDE3LTA2LTI0VDAwOjAwOjAwLjAwMFoiLCJlbmREYXRlIjogIjIwMTctMDYtMzBUMDA6MDA6MDAuMDAwWiIsIm51bWJlck9mUHJvamVjdHMiOiAxLCJudW1iZXJPZldvcmtlcnMiOiA0LCJkb2N1bWVudFRpdGxlIjogIlJlcG9ydHMgfCBUb3BUcmFja2VyIiwidXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9Mjk3NzYmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsInVybFNlYXJjaCI6ICI%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yOTc3NiZjaGFydD0xJnRpbWV0YWJsZT0yIiwidGltZVpvbmUiOiAiQW1lcmljYS9Mb3NfQW5nZWxlcyIsInVzZXJfYWdlbnQiOiB7ImNsaWVudCI6ICJXZWIiLCJvc190eXBlIjogIm1hYyIsImJyb3dzZXJfdHlwZSI6ICJjaHJvbWUifSwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMH19&ip=1&_=1498863351594

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9Mjk3NzYmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9hcHAvcmVwb3J0cyIsIiRlbGVtZW50cyI6IFsKICAgIHsiY2xhc3NlcyI6IFsKICAgICJpbnB1dC1ob2xkZXIiLAogICAgImlzLWNoZWNrYm94IiwKICAgICJpcy1sYWJlbC12aXNpYmxlIgpdLCJ0YWdfbmFtZSI6ICJsYWJlbCIsImF0dHJfX2ZvciI6ICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cy0wIiwiYXR0cl9fY2xhc3MiOiAiaW5wdXQtaG9sZGVyIGlzLWNoZWNrYm94IGlzLWxhYmVsLXZpc2libGUiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImlucHV0LXdyYXBwZXIiLAogICAgImRyb3Bkb3duX2l0ZW1fY2hlY2tib3gtd3JhcHBlciIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHNfaXRlbV9jaGVja2JveC13cmFwcGVyIiwKICAgICJpcy1jaGVja2JveCIsCiAgICAiaXMtbGFiZWwtdmlzaWJsZSIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiaW5wdXQtd3JhcHBlciBkcm9wZG93bl9pdGVtX2NoZWNrYm94LXdyYXBwZXIgcmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHNfaXRlbV9jaGVja2JveC13cmFwcGVyIGlzLWNoZWNrYm94IGlzLWxhYmVsLXZpc2libGUiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duX2l0ZW0iLAogICAgImlzLWNoZWNrYm94IiwKICAgICJpcy1ib2xkIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJkcm9wZG93bl9pdGVtIGlzLWNoZWNrYm94IGlzLWJvbGQiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duLWxpc3QiLAogICAgImlzLW9wZW5lZCIsCiAgICAiaXMtbGVmdCIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMtbGlzdCIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24tbGlzdCBpcy1vcGVuZWQgaXMtbGVmdCByZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cy1saXN0IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAyfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJkcm9wZG93biIsCiAgICAiaXMtbm9ybWFsIiwKICAgICJpcy1tdWx0aSIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImRyb3Bkb3duIGlzLW5vcm1hbCBpcy1tdWx0aSByZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cyIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiZmlsdGVyIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJmaWx0ZXIiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInJlcG9ydHMtY29udGVudF9maWx0ZXJzIgpdLCJ0YWdfbmFtZSI6ICJoZWFkZXIiLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVycyIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0cy1jb250ZW50IgpdLCJ0YWdfbmFtZSI6ICJzZWN0aW9uIiwiYXR0cl9fY2xhc3MiOiAicmVwb3J0cy1jb250ZW50IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJwYWdlX3dyYXBwZXIiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogInBhZ2Vfd3JhcHBlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYXBwLW1haW4iCl0sInRhZ19uYW1lIjogIm1haW4iLCJhdHRyX19jbGFzcyI6ICJhcHAtbWFpbiIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYXBwIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJhcHAiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDJ9LAogICAgeyJjbGFzc2VzIjogWwogICAgInVpIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19kYXRhLXJlYWN0cm9vdCI6ICIiLCJhdHRyX19jbGFzcyI6ICJ1aSIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAibGF5b3V0LWNhbnZhcyIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAibGF5b3V0LWNhbnZhcyIsImF0dHJfX2lkIjogImNhbnZhcyIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAibGF5b3V0LWJvZHkiCl0sInRhZ19uYW1lIjogImJvZHkiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtYm9keSIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMX0KXSwiJGVsX3RleHQiOiAiU2VsZWN0IGFsbCBQcm9qZWN0cyIsInRva2VuIjogIjI5YWJjZTQ3MjI1MWZmZWUyODlkMDJiNDc4ZDc5YzI0IiwiJF9fYyI6IDF9fQ%3D%3D&ip=1&_=1498863363581

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

Instances

61

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJ0cmFja2VyLXJlcG9ydHNfc2V0dGluZ3MiLCJwcm9wZXJ0aWVzIjogeyIkb3MiOiAiTWFjIE9TIFgiLCIkYnJvd3NlciI6ICJDaHJvbWUiLCIkY3VycmVudF91cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yOTc3NiZjaGFydD0xJnRpbWV0YWJsZT0yIiwiJGJyb3dzZXJfdmVyc2lvbiI6IDU5LCIkc2NyZWVuX2hlaWdodCI6IDEwODAsIiRzY3JlZW5fd2lkdGgiOiAxOTIwLCJtcF9saWIiOiAiU2VnbWVudDogd2ViIiwiJGxpYl92ZXJzaW9uIjogIjIuMTIuMCIsImRpc3RpbmN0X2lkIjogInRyYWNrZXItMTA4NDMiLCIkaW5pdGlhbF9yZWZlcnJlciI6ICIkZGlyZWN0IiwiJGluaXRpYWxfcmVmZXJyaW5nX2RvbWFpbiI6ICIkZGlyZWN0IiwibXBfbmFtZV90YWciOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsImlkIjogInRyYWNrZXItMTA4NDMiLCIkZW1haWwiOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsIiRmaXJzdF9uYW1lIjogIkJlcm50IiwiJGxhc3RfbmFtZSI6ICJHdWRtZXN0YWQiLCIkbmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJkaXNwbGF5TmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJzb3VyY2UiOiAid2ViIiwiYXZhdGFyIjogeyJ0eXBlIjogImF2YXRhciIsImltYWdlX3VybCI6ICJodHRwczovL3NlY3VyZS5ncmF2YXRhci5jb20vYXZhdGFyL2ZiOWQyODQwODE4NTkyMmQxOTRkNzIzNjMwNDY3ZjQ1P2Q9YmxhbmsifSwidXNlZF9kZXNrdG9wIjogdHJ1ZSwidXNlZF93ZWIiOiB0cnVlLCJsYXN0X2FjdGl2aXR5X3RpbWUiOiAiMjAxNy0wNi0wNVQwMDowMDowMC4wMDBaIiwic2VudF9pbnZpdGF0aW9uc19jb3VudCI6IDAsInJlYWxfc2lnbmVkX3VwIjogIjIwMTYtMTEtMThUMDA6MDA6MDAuMDAwWiIsInByb2plY3RzX2NvdW50IjogMTIsImRhdGVSYW5nZSI6IDcsInN0YXJ0RGF0ZSI6ICIyMDE3LTA2LTI0VDAwOjAwOjAwLjAwMFoiLCJlbmREYXRlIjogIjIwMTctMDYtMzBUMDA6MDA6MDAuMDAwWiIsIm51bWJlck9mUHJvamVjdHMiOiAxLCJudW1iZXJPZldvcmtlcnMiOiA0LCJkb2N1bWVudFRpdGxlIjogIlJlcG9ydHMgfCBUb3BUcmFja2VyIiwidXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9Mjk3NzYmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsInVybFNlYXJjaCI6ICI%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yOTc3NiZjaGFydD0xJnRpbWV0YWJsZT0yIiwidGltZVpvbmUiOiAiQW1lcmljYS9Mb3NfQW5nZWxlcyIsInVzZXJfYWdlbnQiOiB7ImNsaWVudCI6ICJXZWIiLCJvc190eXBlIjogIm1hYyIsImJyb3dzZXJfdHlwZSI6ICJjaHJvbWUifSwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMH19&ip=1&_=1498863351594

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJMb2FkZWQgYSBQYWdlIiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMDEmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MzQ4MzQmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCJuYW1lIjogInJlcG9ydHMiLCJwYXRoIjogIi9hcHAvcmVwb3J0cyIsInJlZmVycmVyIjogIiIsInNlYXJjaCI6ICI%2Fc3RhcnQ9MjAxNy0wNi0wMSZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0zNDgzNCZjaGFydD0xJnRpbWV0YWJsZT0yIiwidGl0bGUiOiAiUmVwb3J0cyB8IFRvcFRyYWNrZXIiLCJ1cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0wMSZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0zNDgzNCZjaGFydD0xJnRpbWV0YWJsZT0yIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMH19&ip=1&_=1498863373740

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMDEmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MzQ4MzQmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9hcHAvcmVwb3J0cyIsIiRlbGVtZW50cyI6IFsKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhYnN0cmFjdF9saW5rLWxhYmVsIiwKICAgICJyZXBvcnRzX3RhYnMtYnV0dG9uLWxhYmVsIgpdLCJ0YWdfbmFtZSI6ICJzcGFuIiwiYXR0cl9fY2xhc3MiOiAiYWJzdHJhY3RfbGluay1sYWJlbCByZXBvcnRzX3RhYnMtYnV0dG9uLWxhYmVsIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhYnN0cmFjdF9saW5rIiwKICAgICJyZXBvcnRzX3RhYnMtYnV0dG9uIiwKICAgICJhYnN0cmFjdF9saW5rLWJ1dHRvbiIKXSwidGFnX25hbWUiOiAiYnV0dG9uIiwiYXR0cl9fdHlwZSI6ICJidXR0b24iLCJhdHRyX19jbGFzcyI6ICJhYnN0cmFjdF9saW5rIHJlcG9ydHNfdGFicy1idXR0b24gYWJzdHJhY3RfbGluay1idXR0b24iLCJhdHRyX190aXRsZSI6ICJBY3Rpdml0aWVzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzX3RhYnMtaXRlbSIKXSwidGFnX25hbWUiOiAibGkiLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzX3RhYnMtaXRlbSIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0c190YWJzLXRhYnMiCl0sInRhZ19uYW1lIjogInVsIiwiYXR0cl9fY2xhc3MiOiAicmVwb3J0c190YWJzLXRhYnMiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInJlcG9ydHNfdGFicy10aXRsZV93cmFwcGVyIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzX3RhYnMtdGl0bGVfd3JhcHBlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0c190YWJzIgpdLCJ0YWdfbmFtZSI6ICJzZWN0aW9uIiwiYXR0cl9fY2xhc3MiOiAicmVwb3J0c190YWJzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzLXRhYl9hY3Rpdml0aWVzIgpdLCJ0YWdfbmFtZSI6ICJzZWN0aW9uIiwiYXR0cl9fY2xhc3MiOiAicmVwb3J0cy10YWJfYWN0aXZpdGllcyIsIm50aF9jaGlsZCI6IDQsIm50aF9vZl90eXBlIjogM30sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0cy1jb250ZW50IgpdLCJ0YWdfbmFtZSI6ICJzZWN0aW9uIiwiYXR0cl9fY2xhc3MiOiAicmVwb3J0cy1jb250ZW50IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJwYWdlX3dyYXBwZXIiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogInBhZ2Vfd3JhcHBlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYXBwLW1haW4iCl0sInRhZ19uYW1lIjogIm1haW4iLCJhdHRyX19jbGFzcyI6ICJhcHAtbWFpbiIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYXBwIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJhcHAiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDJ9LAogICAgeyJjbGFzc2VzIjogWwogICAgInVpIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19kYXRhLXJlYWN0cm9vdCI6ICIiLCJhdHRyX19jbGFzcyI6ICJ1aSIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAibGF5b3V0LWNhbnZhcyIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAibGF5b3V0LWNhbnZhcyIsImF0dHJfX2lkIjogImNhbnZhcyIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAibGF5b3V0LWJvZHkiCl0sInRhZ19uYW1lIjogImJvZHkiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtYm9keSIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMX0KXSwiJGVsX3RleHQiOiAiQWN0aXZpdGllcyIsInRva2VuIjogIjI5YWJjZTQ3MjI1MWZmZWUyODlkMDJiNDc4ZDc5YzI0IiwiJF9fYyI6IDF9fQ%3D%3D&ip=1&_=1498863385924

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJMb2FkZWQgYSBQYWdlIiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMDEmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MjEwMjkmY2hhcnQ9MSZ0aW1ldGFibGU9MSIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCJuYW1lIjogInJlcG9ydHMiLCJwYXRoIjogIi9hcHAvcmVwb3J0cyIsInJlZmVycmVyIjogIiIsInNlYXJjaCI6ICI%2Fc3RhcnQ9MjAxNy0wNi0wMSZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yMTAyOSZjaGFydD0xJnRpbWV0YWJsZT0xIiwidGl0bGUiOiAiUmVwb3J0cyB8IFRvcFRyYWNrZXIiLCJ1cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0wMSZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yMTAyOSZjaGFydD0xJnRpbWV0YWJsZT0xIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMX19&ip=1&_=1498863436726

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9Mjk3NzYtNjkyNDUtNzI5NjgtNzAzNzYtMjEwMjktMjEwMzEtMzk1MDItMjEwMjgtMzQ4MzQtNjQ2MTEtMjI2NDgtMjEwMzAmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjaGFuZ2UiLCIkY2VfdmVyc2lvbiI6IDEsIiRob3N0IjogInRyYWNrZXIudG9wdGFsLmNvbSIsIiRwYXRobmFtZSI6ICIvYXBwL3JlcG9ydHMiLCIkZWxlbWVudHMiOiBbCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiaW5wdXQiLAogICAgImlzLW5vcm1hbCIsCiAgICAiaXMtY2hlY2tib3giCl0sInRhZ19uYW1lIjogImlucHV0IiwiYXR0cl9fdHlwZSI6ICJjaGVja2JveCIsImF0dHJfX2NsYXNzIjogImlucHV0IGlzLW5vcm1hbCBpcy1jaGVja2JveCIsImF0dHJfX3ZhbHVlIjogIjAiLCJhdHRyX19wbGFjZWhvbGRlciI6ICJTZWxlY3QgYWxsIFByb2plY3RzIiwiYXR0cl9faWQiOiAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMtMCIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiaW5wdXQtd3JhcHBlciIsCiAgICAiZHJvcGRvd25faXRlbV9jaGVja2JveC13cmFwcGVyIiwKICAgICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0c19pdGVtX2NoZWNrYm94LXdyYXBwZXIiLAogICAgImlzLWNoZWNrYm94IiwKICAgICJpcy1sYWJlbC12aXNpYmxlIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJpbnB1dC13cmFwcGVyIGRyb3Bkb3duX2l0ZW1fY2hlY2tib3gtd3JhcHBlciByZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0c19pdGVtX2NoZWNrYm94LXdyYXBwZXIgaXMtY2hlY2tib3ggaXMtbGFiZWwtdmlzaWJsZSIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiZHJvcGRvd25faXRlbSIsCiAgICAiaXMtY2hlY2tib3giLAogICAgImlzLWJvbGQiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImRyb3Bkb3duX2l0ZW0gaXMtY2hlY2tib3ggaXMtYm9sZCIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiZHJvcGRvd24tbGlzdCIsCiAgICAiaXMtb3BlbmVkIiwKICAgICJpcy1sZWZ0IiwKICAgICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cy1saXN0IgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJkcm9wZG93bi1saXN0IGlzLW9wZW5lZCBpcy1sZWZ0IHJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzLWxpc3QiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDJ9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duIiwKICAgICJpcy1ub3JtYWwiLAogICAgImlzLW11bHRpIiwKICAgICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cyIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24gaXMtbm9ybWFsIGlzLW11bHRpIHJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAyfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJmaWx0ZXIiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImZpbHRlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnMiCl0sInRhZ19uYW1lIjogImhlYWRlciIsImF0dHJfX2NsYXNzIjogInJlcG9ydHMtY29udGVudF9maWx0ZXJzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzLWNvbnRlbnQiCl0sInRhZ19uYW1lIjogInNlY3Rpb24iLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnQiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInBhZ2Vfd3JhcHBlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAicGFnZV93cmFwcGVyIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAtbWFpbiIKXSwidGFnX25hbWUiOiAibWFpbiIsImF0dHJfX2NsYXNzIjogImFwcC1tYWluIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImFwcCIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAidWkiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2RhdGEtcmVhY3Ryb290IjogIiIsImF0dHJfX2NsYXNzIjogInVpIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtY2FudmFzIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtY2FudmFzIiwiYXR0cl9faWQiOiAiY2FudmFzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtYm9keSIKXSwidGFnX25hbWUiOiAiYm9keSIsImF0dHJfX2NsYXNzIjogImxheW91dC1ib2R5IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfQpdLCIkZWxfdGV4dCI6ICJTZWxlY3QgYWxsIFByb2plY3RzIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMH19&ip=1&_=1498863363591

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9bm9uZSZjaGFydD0xJnRpbWV0YWJsZT0yIiwiJGJyb3dzZXJfdmVyc2lvbiI6IDU5LCIkc2NyZWVuX2hlaWdodCI6IDEwODAsIiRzY3JlZW5fd2lkdGgiOiAxOTIwLCJtcF9saWIiOiAiU2VnbWVudDogd2ViIiwiJGxpYl92ZXJzaW9uIjogIjIuMTIuMCIsImRpc3RpbmN0X2lkIjogInRyYWNrZXItMTA4NDMiLCIkaW5pdGlhbF9yZWZlcnJlciI6ICIkZGlyZWN0IiwiJGluaXRpYWxfcmVmZXJyaW5nX2RvbWFpbiI6ICIkZGlyZWN0IiwibXBfbmFtZV90YWciOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsImlkIjogInRyYWNrZXItMTA4NDMiLCIkZW1haWwiOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsIiRmaXJzdF9uYW1lIjogIkJlcm50IiwiJGxhc3RfbmFtZSI6ICJHdWRtZXN0YWQiLCIkbmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJkaXNwbGF5TmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJzb3VyY2UiOiAid2ViIiwiYXZhdGFyIjogeyJ0eXBlIjogImF2YXRhciIsImltYWdlX3VybCI6ICJodHRwczovL3NlY3VyZS5ncmF2YXRhci5jb20vYXZhdGFyL2ZiOWQyODQwODE4NTkyMmQxOTRkNzIzNjMwNDY3ZjQ1P2Q9YmxhbmsifSwidXNlZF9kZXNrdG9wIjogdHJ1ZSwidXNlZF93ZWIiOiB0cnVlLCJsYXN0X2FjdGl2aXR5X3RpbWUiOiAiMjAxNy0wNi0wNVQwMDowMDowMC4wMDBaIiwic2VudF9pbnZpdGF0aW9uc19jb3VudCI6IDAsInJlYWxfc2lnbmVkX3VwIjogIjIwMTYtMTEtMThUMDA6MDA6MDAuMDAwWiIsInByb2plY3RzX2NvdW50IjogMTIsIiRldmVudF90eXBlIjogImNsaWNrIiwiJGNlX3ZlcnNpb24iOiAxLCIkaG9zdCI6ICJ0cmFja2VyLnRvcHRhbC5jb20iLCIkcGF0aG5hbWUiOiAiL2FwcC9yZXBvcnRzIiwiJGVsZW1lbnRzIjogWwogICAgeyJjbGFzc2VzIjogWwogICAgImlucHV0LWhvbGRlciIsCiAgICAiaXMtY2hlY2tib3giLAogICAgImlzLWxhYmVsLXZpc2libGUiCl0sInRhZ19uYW1lIjogImxhYmVsIiwiYXR0cl9fZm9yIjogInJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzLTM0ODM0IiwiYXR0cl9fY2xhc3MiOiAiaW5wdXQtaG9sZGVyIGlzLWNoZWNrYm94IGlzLWxhYmVsLXZpc2libGUiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImlucHV0LXdyYXBwZXIiLAogICAgImRyb3Bkb3duX2l0ZW1fY2hlY2tib3gtd3JhcHBlciIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHNfaXRlbV9jaGVja2JveC13cmFwcGVyIiwKICAgICJpcy1jaGVja2JveCIsCiAgICAiaXMtbGFiZWwtdmlzaWJsZSIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiaW5wdXQtd3JhcHBlciBkcm9wZG93bl9pdGVtX2NoZWNrYm94LXdyYXBwZXIgcmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHNfaXRlbV9jaGVja2JveC13cmFwcGVyIGlzLWNoZWNrYm94IGlzLWxhYmVsLXZpc2libGUiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duX2l0ZW0iLAogICAgImlzLWNoZWNrYm94IgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJkcm9wZG93bl9pdGVtIGlzLWNoZWNrYm94IiwibnRoX2NoaWxkIjogMTAsIm50aF9vZl90eXBlIjogMTB9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duLWxpc3QiLAogICAgImlzLW9wZW5lZCIsCiAgICAiaXMtbGVmdCIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMtbGlzdCIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24tbGlzdCBpcy1vcGVuZWQgaXMtbGVmdCByZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cy1saXN0IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAyfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJkcm9wZG93biIsCiAgICAiaXMtbm9ybWFsIiwKICAgICJpcy1tdWx0aSIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImRyb3Bkb3duIGlzLW5vcm1hbCBpcy1tdWx0aSByZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cyIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiZmlsdGVyIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJmaWx0ZXIiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInJlcG9ydHMtY29udGVudF9maWx0ZXJzIgpdLCJ0YWdfbmFtZSI6ICJoZWFkZXIiLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVycyIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0cy1jb250ZW50IgpdLCJ0YWdfbmFtZSI6ICJzZWN0aW9uIiwiYXR0cl9fY2xhc3MiOiAicmVwb3J0cy1jb250ZW50IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJwYWdlX3dyYXBwZXIiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogInBhZ2Vfd3JhcHBlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYXBwLW1haW4iCl0sInRhZ19uYW1lIjogIm1haW4iLCJhdHRyX19jbGFzcyI6ICJhcHAtbWFpbiIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYXBwIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJhcHAiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDJ9LAogICAgeyJjbGFzc2VzIjogWwogICAgInVpIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19kYXRhLXJlYWN0cm9vdCI6ICIiLCJhdHRyX19jbGFzcyI6ICJ1aSIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAibGF5b3V0LWNhbnZhcyIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAibGF5b3V0LWNhbnZhcyIsImF0dHJfX2lkIjogImNhbnZhcyIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAibGF5b3V0LWJvZHkiCl0sInRhZ19uYW1lIjogImJvZHkiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtYm9keSIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMX0KXSwiJGVsX3RleHQiOiAiWWV0aSIsInRva2VuIjogIjI5YWJjZTQ3MjI1MWZmZWUyODlkMDJiNDc4ZDc5YzI0IiwiJF9fYyI6IDF9fQ%3D%3D&ip=1&_=1498863370568

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/decide/?verbose=1&version=1&lib=web&token=29abce472251ffee289d02b478d79c24&ip=1&_=1498863349812

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9Mjk3NzYmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9hcHAvcmVwb3J0cyIsIiRlbGVtZW50cyI6IFsKICAgIHsiY2xhc3NlcyI6IFsKICAgICJpbnB1dC1ob2xkZXIiLAogICAgImlzLWNoZWNrYm94IiwKICAgICJpcy1sYWJlbC12aXNpYmxlIgpdLCJ0YWdfbmFtZSI6ICJsYWJlbCIsImF0dHJfX2ZvciI6ICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cy0wIiwiYXR0cl9fY2xhc3MiOiAiaW5wdXQtaG9sZGVyIGlzLWNoZWNrYm94IGlzLWxhYmVsLXZpc2libGUiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImlucHV0LXdyYXBwZXIiLAogICAgImRyb3Bkb3duX2l0ZW1fY2hlY2tib3gtd3JhcHBlciIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHNfaXRlbV9jaGVja2JveC13cmFwcGVyIiwKICAgICJpcy1jaGVja2JveCIsCiAgICAiaXMtbGFiZWwtdmlzaWJsZSIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiaW5wdXQtd3JhcHBlciBkcm9wZG93bl9pdGVtX2NoZWNrYm94LXdyYXBwZXIgcmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHNfaXRlbV9jaGVja2JveC13cmFwcGVyIGlzLWNoZWNrYm94IGlzLWxhYmVsLXZpc2libGUiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duX2l0ZW0iLAogICAgImlzLWNoZWNrYm94IiwKICAgICJpcy1ib2xkIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJkcm9wZG93bl9pdGVtIGlzLWNoZWNrYm94IGlzLWJvbGQiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duLWxpc3QiLAogICAgImlzLW9wZW5lZCIsCiAgICAiaXMtbGVmdCIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMtbGlzdCIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24tbGlzdCBpcy1vcGVuZWQgaXMtbGVmdCByZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cy1saXN0IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAyfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJkcm9wZG93biIsCiAgICAiaXMtbm9ybWFsIiwKICAgICJpcy1tdWx0aSIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImRyb3Bkb3duIGlzLW5vcm1hbCBpcy1tdWx0aSByZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cyIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiZmlsdGVyIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJmaWx0ZXIiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInJlcG9ydHMtY29udGVudF9maWx0ZXJzIgpdLCJ0YWdfbmFtZSI6ICJoZWFkZXIiLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVycyIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0cy1jb250ZW50IgpdLCJ0YWdfbmFtZSI6ICJzZWN0aW9uIiwiYXR0cl9fY2xhc3MiOiAicmVwb3J0cy1jb250ZW50IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJwYWdlX3dyYXBwZXIiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogInBhZ2Vfd3JhcHBlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYXBwLW1haW4iCl0sInRhZ19uYW1lIjogIm1haW4iLCJhdHRyX19jbGFzcyI6ICJhcHAtbWFpbiIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYXBwIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJhcHAiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDJ9LAogICAgeyJjbGFzc2VzIjogWwogICAgInVpIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19kYXRhLXJlYWN0cm9vdCI6ICIiLCJhdHRyX19jbGFzcyI6ICJ1aSIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAibGF5b3V0LWNhbnZhcyIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAibGF5b3V0LWNhbnZhcyIsImF0dHJfX2lkIjogImNhbnZhcyIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAibGF5b3V0LWJvZHkiCl0sInRhZ19uYW1lIjogImJvZHkiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtYm9keSIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMX0KXSwiJGVsX3RleHQiOiAiU2VsZWN0IGFsbCBQcm9qZWN0cyIsInRva2VuIjogIjI5YWJjZTQ3MjI1MWZmZWUyODlkMDJiNDc4ZDc5YzI0IiwiJF9fYyI6IDF9fQ%3D%3D&ip=1&_=1498863363581

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9Mjk3NzYtNjkyNDUtNzI5NjgtNzAzNzYtMjEwMjktMjEwMzEtMzk1MDItMjEwMjgtMzQ4MzQtNjQ2MTEtMjI2NDgtMjEwMzAmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9hcHAvcmVwb3J0cyIsIiRlbGVtZW50cyI6IFsKICAgIHsiY2xhc3NlcyI6IFsKICAgICJpbnB1dC1ob2xkZXIiLAogICAgImlzLWNoZWNrYm94IiwKICAgICJpcy1sYWJlbC12aXNpYmxlIgpdLCJ0YWdfbmFtZSI6ICJsYWJlbCIsImF0dHJfX2ZvciI6ICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cy0wIiwiYXR0cl9fY2xhc3MiOiAiaW5wdXQtaG9sZGVyIGlzLWNoZWNrYm94IGlzLWxhYmVsLXZpc2libGUiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImlucHV0LXdyYXBwZXIiLAogICAgImRyb3Bkb3duX2l0ZW1fY2hlY2tib3gtd3JhcHBlciIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHNfaXRlbV9jaGVja2JveC13cmFwcGVyIiwKICAgICJpcy1jaGVja2JveCIsCiAgICAiaXMtbGFiZWwtdmlzaWJsZSIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiaW5wdXQtd3JhcHBlciBkcm9wZG93bl9pdGVtX2NoZWNrYm94LXdyYXBwZXIgcmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHNfaXRlbV9jaGVja2JveC13cmFwcGVyIGlzLWNoZWNrYm94IGlzLWxhYmVsLXZpc2libGUiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duX2l0ZW0iLAogICAgImlzLWNoZWNrYm94IiwKICAgICJpcy1ib2xkIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJkcm9wZG93bl9pdGVtIGlzLWNoZWNrYm94IGlzLWJvbGQiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duLWxpc3QiLAogICAgImlzLW9wZW5lZCIsCiAgICAiaXMtbGVmdCIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMtbGlzdCIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24tbGlzdCBpcy1vcGVuZWQgaXMtbGVmdCByZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cy1saXN0IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAyfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJkcm9wZG93biIsCiAgICAiaXMtbm9ybWFsIiwKICAgICJpcy1tdWx0aSIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImRyb3Bkb3duIGlzLW5vcm1hbCBpcy1tdWx0aSByZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cyIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiZmlsdGVyIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJmaWx0ZXIiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInJlcG9ydHMtY29udGVudF9maWx0ZXJzIgpdLCJ0YWdfbmFtZSI6ICJoZWFkZXIiLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVycyIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0cy1jb250ZW50IgpdLCJ0YWdfbmFtZSI6ICJzZWN0aW9uIiwiYXR0cl9fY2xhc3MiOiAicmVwb3J0cy1jb250ZW50IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJwYWdlX3dyYXBwZXIiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogInBhZ2Vfd3JhcHBlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYXBwLW1haW4iCl0sInRhZ19uYW1lIjogIm1haW4iLCJhdHRyX19jbGFzcyI6ICJhcHAtbWFpbiIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYXBwIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJhcHAiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDJ9LAogICAgeyJjbGFzc2VzIjogWwogICAgInVpIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19kYXRhLXJlYWN0cm9vdCI6ICIiLCJhdHRyX19jbGFzcyI6ICJ1aSIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAibGF5b3V0LWNhbnZhcyIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAibGF5b3V0LWNhbnZhcyIsImF0dHJfX2lkIjogImNhbnZhcyIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAibGF5b3V0LWJvZHkiCl0sInRhZ19uYW1lIjogImJvZHkiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtYm9keSIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMX0KXSwiJGVsX3RleHQiOiAiU2VsZWN0IGFsbCBQcm9qZWN0cyIsInRva2VuIjogIjI5YWJjZTQ3MjI1MWZmZWUyODlkMDJiNDc4ZDc5YzI0IiwiJF9fYyI6IDF9fQ%3D%3D&ip=1&_=1498863367614

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMDEmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MzQ4MzQmY2hhcnQ9MSZ0aW1ldGFibGU9MSIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9hcHAvcmVwb3J0cyIsIiRlbGVtZW50cyI6IFsKICAgIHsiY2xhc3NlcyI6IFsKICAgICJpbnB1dC1ob2xkZXIiLAogICAgImlzLWNoZWNrYm94IiwKICAgICJpcy1sYWJlbC12aXNpYmxlIgpdLCJ0YWdfbmFtZSI6ICJsYWJlbCIsImF0dHJfX2ZvciI6ICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cy0yMTAyOSIsImF0dHJfX2NsYXNzIjogImlucHV0LWhvbGRlciBpcy1jaGVja2JveCBpcy1sYWJlbC12aXNpYmxlIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJpbnB1dC13cmFwcGVyIiwKICAgICJkcm9wZG93bl9pdGVtX2NoZWNrYm94LXdyYXBwZXIiLAogICAgInJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzX2l0ZW1fY2hlY2tib3gtd3JhcHBlciIsCiAgICAiaXMtY2hlY2tib3giLAogICAgImlzLWxhYmVsLXZpc2libGUiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImlucHV0LXdyYXBwZXIgZHJvcGRvd25faXRlbV9jaGVja2JveC13cmFwcGVyIHJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzX2l0ZW1fY2hlY2tib3gtd3JhcHBlciBpcy1jaGVja2JveCBpcy1sYWJlbC12aXNpYmxlIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJkcm9wZG93bl9pdGVtIiwKICAgICJpcy1jaGVja2JveCIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd25faXRlbSBpcy1jaGVja2JveCIsIm50aF9jaGlsZCI6IDYsIm50aF9vZl90eXBlIjogNn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiZHJvcGRvd24tbGlzdCIsCiAgICAiaXMtb3BlbmVkIiwKICAgICJpcy1sZWZ0IiwKICAgICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cy1saXN0IgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJkcm9wZG93bi1saXN0IGlzLW9wZW5lZCBpcy1sZWZ0IHJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzLWxpc3QiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDJ9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duIiwKICAgICJpcy1ub3JtYWwiLAogICAgImlzLW11bHRpIiwKICAgICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cyIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24gaXMtbm9ybWFsIGlzLW11bHRpIHJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAyfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJmaWx0ZXIiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImZpbHRlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnMiCl0sInRhZ19uYW1lIjogImhlYWRlciIsImF0dHJfX2NsYXNzIjogInJlcG9ydHMtY29udGVudF9maWx0ZXJzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzLWNvbnRlbnQiCl0sInRhZ19uYW1lIjogInNlY3Rpb24iLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnQiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInBhZ2Vfd3JhcHBlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAicGFnZV93cmFwcGVyIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAtbWFpbiIKXSwidGFnX25hbWUiOiAibWFpbiIsImF0dHJfX2NsYXNzIjogImFwcC1tYWluIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImFwcCIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAidWkiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2RhdGEtcmVhY3Ryb290IjogIiIsImF0dHJfX2NsYXNzIjogInVpIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtY2FudmFzIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtY2FudmFzIiwiYXR0cl9faWQiOiAiY2FudmFzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtYm9keSIKXSwidGFnX25hbWUiOiAiYm9keSIsImF0dHJfX2NsYXNzIjogImxheW91dC1ib2R5IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfQpdLCIkZWxfdGV4dCI6ICJHYWxpbGVvIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMX19&ip=1&_=1498863435573

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJ0cmFja2VyLWNvbnRyb2wtaW50ZXJhY3RlZCIsInByb3BlcnRpZXMiOiB7IiRvcyI6ICJNYWMgT1MgWCIsIiRicm93c2VyIjogIkNocm9tZSIsIiRjdXJyZW50X3VybCI6ICJodHRwczovL3RyYWNrZXIudG9wdGFsLmNvbS9hcHAvcmVwb3J0cz9zdGFydD0yMDE3LTA2LTI0JmVuZD0yMDE3LTA2LTMwJndvcmtlcnM9YWxsJnByb2plY3RzPTM0ODM0JmNoYXJ0PTEmdGltZXRhYmxlPTIiLCIkYnJvd3Nlcl92ZXJzaW9uIjogNTksIiRzY3JlZW5faGVpZ2h0IjogMTA4MCwiJHNjcmVlbl93aWR0aCI6IDE5MjAsIm1wX2xpYiI6ICJTZWdtZW50OiB3ZWIiLCIkbGliX3ZlcnNpb24iOiAiMi4xMi4wIiwiZGlzdGluY3RfaWQiOiAidHJhY2tlci0xMDg0MyIsIiRpbml0aWFsX3JlZmVycmVyIjogIiRkaXJlY3QiLCIkaW5pdGlhbF9yZWZlcnJpbmdfZG9tYWluIjogIiRkaXJlY3QiLCJtcF9uYW1lX3RhZyI6ICJoZHNwZWVkZnJlYWtAZ21haWwuY29tIiwiaWQiOiAidHJhY2tlci0xMDg0MyIsIiRlbWFpbCI6ICJoZHNwZWVkZnJlYWtAZ21haWwuY29tIiwiJGZpcnN0X25hbWUiOiAiQmVybnQiLCIkbGFzdF9uYW1lIjogIkd1ZG1lc3RhZCIsIiRuYW1lIjogIkJlcm50IEd1ZG1lc3RhZCIsImRpc3BsYXlOYW1lIjogIkJlcm50IEd1ZG1lc3RhZCIsInNvdXJjZSI6ICJ3ZWIiLCJhdmF0YXIiOiB7InR5cGUiOiAiYXZhdGFyIiwiaW1hZ2VfdXJsIjogImh0dHBzOi8vc2VjdXJlLmdyYXZhdGFyLmNvbS9hdmF0YXIvZmI5ZDI4NDA4MTg1OTIyZDE5NGQ3MjM2MzA0NjdmNDU%2FZD1ibGFuayJ9LCJ1c2VkX2Rlc2t0b3AiOiB0cnVlLCJ1c2VkX3dlYiI6IHRydWUsImxhc3RfYWN0aXZpdHlfdGltZSI6ICIyMDE3LTA2LTA1VDAwOjAwOjAwLjAwMFoiLCJzZW50X2ludml0YXRpb25zX2NvdW50IjogMCwicmVhbF9zaWduZWRfdXAiOiAiMjAxNi0xMS0xOFQwMDowMDowMC4wMDBaIiwicHJvamVjdHNfY291bnQiOiAxMiwidHlwZSI6ICJidXR0b24iLCJ0aXRsZSI6ICJPcGVuIENhbGVuZGFyIiwiaW50ZXJhY3Rpb25UeXBlIjogImNsaWNrIiwic3R5bGUiOiB7ImNsYXNzTmFtZSI6ICJkYXRlX3BpY2tlci1saW5rIn0sImRvY3VtZW50VGl0bGUiOiAiUmVwb3J0cyB8IFRvcFRyYWNrZXIiLCJ1cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0zNDgzNCZjaGFydD0xJnRpbWV0YWJsZT0yIiwidXJsU2VhcmNoIjogIj9zdGFydD0yMDE3LTA2LTI0JmVuZD0yMDE3LTA2LTMwJndvcmtlcnM9YWxsJnByb2plY3RzPTM0ODM0JmNoYXJ0PTEmdGltZXRhYmxlPTIiLCJ0aW1lWm9uZSI6ICJBbWVyaWNhL0xvc19BbmdlbGVzIiwidXNlcl9hZ2VudCI6IHsiY2xpZW50IjogIldlYiIsIm9zX3R5cGUiOiAibWFjIiwiYnJvd3Nlcl90eXBlIjogImNocm9tZSJ9LCJ0b2tlbiI6ICIyOWFiY2U0NzIyNTFmZmVlMjg5ZDAyYjQ3OGQ3OWMyNCIsIiRfX2MiOiAwfX0%3D&ip=1&_=1498863371777

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJ0cmFja2VyLXNpZ24taW4iLCJwcm9wZXJ0aWVzIjogeyIkb3MiOiAiTWFjIE9TIFgiLCIkYnJvd3NlciI6ICJDaHJvbWUiLCIkY3VycmVudF91cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHMiLCIkYnJvd3Nlcl92ZXJzaW9uIjogNTksIiRzY3JlZW5faGVpZ2h0IjogMTA4MCwiJHNjcmVlbl93aWR0aCI6IDE5MjAsIm1wX2xpYiI6ICJTZWdtZW50OiB3ZWIiLCIkbGliX3ZlcnNpb24iOiAiMi4xMi4wIiwiZGlzdGluY3RfaWQiOiAidHJhY2tlci0xMDg0MyIsIiRpbml0aWFsX3JlZmVycmVyIjogIiRkaXJlY3QiLCIkaW5pdGlhbF9yZWZlcnJpbmdfZG9tYWluIjogIiRkaXJlY3QiLCJtcF9uYW1lX3RhZyI6ICJoZHNwZWVkZnJlYWtAZ21haWwuY29tIiwiaWQiOiAidHJhY2tlci0xMDg0MyIsIiRlbWFpbCI6ICJoZHNwZWVkZnJlYWtAZ21haWwuY29tIiwiJGZpcnN0X25hbWUiOiAiQmVybnQiLCIkbGFzdF9uYW1lIjogIkd1ZG1lc3RhZCIsIiRuYW1lIjogIkJlcm50IEd1ZG1lc3RhZCIsImRpc3BsYXlOYW1lIjogIkJlcm50IEd1ZG1lc3RhZCIsInNvdXJjZSI6ICJ3ZWIiLCJhdmF0YXIiOiB7InR5cGUiOiAiYXZhdGFyIiwiaW1hZ2VfdXJsIjogImh0dHBzOi8vc2VjdXJlLmdyYXZhdGFyLmNvbS9hdmF0YXIvZmI5ZDI4NDA4MTg1OTIyZDE5NGQ3MjM2MzA0NjdmNDU%2FZD1ibGFuayJ9LCJ1c2VkX2Rlc2t0b3AiOiB0cnVlLCJ1c2VkX3dlYiI6IHRydWUsImxhc3RfYWN0aXZpdHlfdGltZSI6ICIyMDE3LTA2LTA1VDAwOjAwOjAwLjAwMFoiLCJzZW50X2ludml0YXRpb25zX2NvdW50IjogMCwicmVhbF9zaWduZWRfdXAiOiAiMjAxNi0xMS0xOFQwMDowMDowMC4wMDBaIiwicHJvamVjdHNfY291bnQiOiAxMiwidmlhIjogImZvcm0iLCJyZW1lbWJlck1lIjogdHJ1ZSwiZG9jdW1lbnRUaXRsZSI6ICJTaWduIEluIHwgVG9wVHJhY2tlciIsInVybCI6ICJodHRwczovL3RyYWNrZXIudG9wdGFsLmNvbS9hcHAvcmVwb3J0cyIsInVybFNlYXJjaCI6ICIiLCJ0aW1lWm9uZSI6ICJBbWVyaWNhL0xvc19BbmdlbGVzIiwidXNlcl9hZ2VudCI6IHsiY2xpZW50IjogIldlYiIsIm9zX3R5cGUiOiAibWFjIiwiYnJvd3Nlcl90eXBlIjogImNocm9tZSJ9LCJ0b2tlbiI6ICIyOWFiY2U0NzIyNTFmZmVlMjg5ZDAyYjQ3OGQ3OWMyNCIsIiRfX2MiOiAxfX0%3D&ip=1&_=1498863350079

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJ0cmFja2VyLXJlcG9ydHNfc2V0dGluZ3MiLCJwcm9wZXJ0aWVzIjogeyIkb3MiOiAiTWFjIE9TIFgiLCIkYnJvd3NlciI6ICJDaHJvbWUiLCIkY3VycmVudF91cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz1ub25lJmNoYXJ0PTEmdGltZXRhYmxlPTIiLCIkYnJvd3Nlcl92ZXJzaW9uIjogNTksIiRzY3JlZW5faGVpZ2h0IjogMTA4MCwiJHNjcmVlbl93aWR0aCI6IDE5MjAsIm1wX2xpYiI6ICJTZWdtZW50OiB3ZWIiLCIkbGliX3ZlcnNpb24iOiAiMi4xMi4wIiwiZGlzdGluY3RfaWQiOiAidHJhY2tlci0xMDg0MyIsIiRpbml0aWFsX3JlZmVycmVyIjogIiRkaXJlY3QiLCIkaW5pdGlhbF9yZWZlcnJpbmdfZG9tYWluIjogIiRkaXJlY3QiLCJtcF9uYW1lX3RhZyI6ICJoZHNwZWVkZnJlYWtAZ21haWwuY29tIiwiaWQiOiAidHJhY2tlci0xMDg0MyIsIiRlbWFpbCI6ICJoZHNwZWVkZnJlYWtAZ21haWwuY29tIiwiJGZpcnN0X25hbWUiOiAiQmVybnQiLCIkbGFzdF9uYW1lIjogIkd1ZG1lc3RhZCIsIiRuYW1lIjogIkJlcm50IEd1ZG1lc3RhZCIsImRpc3BsYXlOYW1lIjogIkJlcm50IEd1ZG1lc3RhZCIsInNvdXJjZSI6ICJ3ZWIiLCJhdmF0YXIiOiB7InR5cGUiOiAiYXZhdGFyIiwiaW1hZ2VfdXJsIjogImh0dHBzOi8vc2VjdXJlLmdyYXZhdGFyLmNvbS9hdmF0YXIvZmI5ZDI4NDA4MTg1OTIyZDE5NGQ3MjM2MzA0NjdmNDU%2FZD1ibGFuayJ9LCJ1c2VkX2Rlc2t0b3AiOiB0cnVlLCJ1c2VkX3dlYiI6IHRydWUsImxhc3RfYWN0aXZpdHlfdGltZSI6ICIyMDE3LTA2LTA1VDAwOjAwOjAwLjAwMFoiLCJzZW50X2ludml0YXRpb25zX2NvdW50IjogMCwicmVhbF9zaWduZWRfdXAiOiAiMjAxNi0xMS0xOFQwMDowMDowMC4wMDBaIiwicHJvamVjdHNfY291bnQiOiAxMiwiZGF0ZVJhbmdlIjogNywic3RhcnREYXRlIjogIjIwMTctMDYtMjRUMDA6MDA6MDAuMDAwWiIsImVuZERhdGUiOiAiMjAxNy0wNi0zMFQwMDowMDowMC4wMDBaIiwibnVtYmVyT2ZQcm9qZWN0cyI6ICJObyBwcm9qZWN0cyB3ZXJlIHNlbGVjdGVkIiwibnVtYmVyT2ZXb3JrZXJzIjogNCwiZG9jdW1lbnRUaXRsZSI6ICJSZXBvcnRzIHwgVG9wVHJhY2tlciIsInVybCI6ICJodHRwczovL3RyYWNrZXIudG9wdGFsLmNvbS9hcHAvcmVwb3J0cz9zdGFydD0yMDE3LTA2LTI0JmVuZD0yMDE3LTA2LTMwJndvcmtlcnM9YWxsJnByb2plY3RzPW5vbmUmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsInVybFNlYXJjaCI6ICI%2Fc3RhcnQ9MjAxNy0wNi0yNCZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz1ub25lJmNoYXJ0PTEmdGltZXRhYmxlPTIiLCJ0aW1lWm9uZSI6ICJBbWVyaWNhL0xvc19BbmdlbGVzIiwidXNlcl9hZ2VudCI6IHsiY2xpZW50IjogIldlYiIsIm9zX3R5cGUiOiAibWFjIiwiYnJvd3Nlcl90eXBlIjogImNocm9tZSJ9LCJ0b2tlbiI6ICIyOWFiY2U0NzIyNTFmZmVlMjg5ZDAyYjQ3OGQ3OWMyNCIsIiRfX2MiOiAwfX0%3D&ip=1&_=1498863367730

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMDEmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MjEwMjkmY2hhcnQ9MSZ0aW1ldGFibGU9MSIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9hcHAvcmVwb3J0cyIsIiRlbGVtZW50cyI6IFsKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzLWNvbnRlbnQiCl0sInRhZ19uYW1lIjogInNlY3Rpb24iLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnQiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInBhZ2Vfd3JhcHBlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAicGFnZV93cmFwcGVyIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAtbWFpbiIKXSwidGFnX25hbWUiOiAibWFpbiIsImF0dHJfX2NsYXNzIjogImFwcC1tYWluIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImFwcCIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAidWkiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2RhdGEtcmVhY3Ryb290IjogIiIsImF0dHJfX2NsYXNzIjogInVpIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtY2FudmFzIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtY2FudmFzIiwiYXR0cl9faWQiOiAiY2FudmFzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtYm9keSIKXSwidGFnX25hbWUiOiAiYm9keSIsImF0dHJfX2NsYXNzIjogImxheW91dC1ib2R5IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfQpdLCIkZWxfdGV4dCI6ICJQcm9qZWN0c0dhbGlsZW9TZWxlY3QgYWxsIFByb2plY3RzQ29tbWV4aXNHRU5FUkFMSW5zcGlyZSBMaXZlR2lsY2hyaXN0IGFuZCBTb2FtZXNHYWxpbGVvQ29vayBQb2xpdGljYWxCRHJ5Qmx1ZU5pbGUgQXBwWWV0aWlTY2hvb2xJbml0aWF0aXZlR3JheSBTdHJlZXRWYXJpY2tDbG9zZU1lbWJlcnNCZXJudCBHdWRtZXN0YWRTdGV2ZSBTdXp1a2lKZXNzaWVEYXZpZCBCdWNoYW5hblNlbGVjdCBhbGwgTWVtYmVyc0Jlcm50IEd1ZG1lc3RhZFN0ZXZlIFMiLCJ0b2tlbiI6ICIyOWFiY2U0NzIyNTFmZmVlMjg5ZDAyYjQ3OGQ3OWMyNCIsIiRfX2MiOiAxfX0%3D&ip=1&_=1498863437645

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9Mjk3NzYtNjkyNDUtNzI5NjgtNzAzNzYtMjEwMjktMjEwMzEtMzk1MDItMjEwMjgtMzQ4MzQtNjQ2MTEtMjI2NDgtMjEwMzAmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9hcHAvcmVwb3J0cyIsIiRlbGVtZW50cyI6IFsKICAgIHsiY2xhc3NlcyI6IFsKICAgICJkcm9wZG93bi10YWdfd3JhcHBlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24tdGFnX3dyYXBwZXIiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duLWJ1dHRvbiIsCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMtYnV0dG9uIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJkcm9wZG93bi1idXR0b24gcmVwb3J0cy1jb250ZW50X2ZpbHRlcnNfcHJvamVjdHMtYnV0dG9uIiwiYXR0cl9fdGl0bGUiOiAiUHJvamVjdHMiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRyb3Bkb3duIiwKICAgICJpcy1ub3JtYWwiLAogICAgImlzLW11bHRpIiwKICAgICJyZXBvcnRzLWNvbnRlbnRfZmlsdGVyc19wcm9qZWN0cyIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZHJvcGRvd24gaXMtbm9ybWFsIGlzLW11bHRpIHJlcG9ydHMtY29udGVudF9maWx0ZXJzX3Byb2plY3RzIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAyfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJmaWx0ZXIiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImZpbHRlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicmVwb3J0cy1jb250ZW50X2ZpbHRlcnMiCl0sInRhZ19uYW1lIjogImhlYWRlciIsImF0dHJfX2NsYXNzIjogInJlcG9ydHMtY29udGVudF9maWx0ZXJzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJyZXBvcnRzLWNvbnRlbnQiCl0sInRhZ19uYW1lIjogInNlY3Rpb24iLCJhdHRyX19jbGFzcyI6ICJyZXBvcnRzLWNvbnRlbnQiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInBhZ2Vfd3JhcHBlciIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAicGFnZV93cmFwcGVyIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAtbWFpbiIKXSwidGFnX25hbWUiOiAibWFpbiIsImF0dHJfX2NsYXNzIjogImFwcC1tYWluIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhcHAiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImFwcCIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMn0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAidWkiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2RhdGEtcmVhY3Ryb290IjogIiIsImF0dHJfX2NsYXNzIjogInVpIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtY2FudmFzIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtY2FudmFzIiwiYXR0cl9faWQiOiAiY2FudmFzIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJsYXlvdXQtYm9keSIKXSwidGFnX25hbWUiOiAiYm9keSIsImF0dHJfX2NsYXNzIjogImxheW91dC1ib2R5IiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAxfQpdLCIkZWxfdGV4dCI6ICJHRU5FUkFMQ29tbWV4aXNJbnNwaXJlIExpdmVHaWxjaHJpc3QgYW5kIFNvYW1lc0dhbGlsZW9Db29rIFBvbGl0aWNhbEJEcnlCbHVlTmlsZSBBcHBZZXRpaVNjaG9vbEluaXRpYXRpdmVHcmF5IFN0cmVldFZhcmljayIsInRva2VuIjogIjI5YWJjZTQ3MjI1MWZmZWUyODlkMDJiNDc4ZDc5YzI0IiwiJF9fYyI6IDF9fQ%3D%3D&ip=1&_=1498863366542

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMjQmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MzQ4MzQmY2hhcnQ9MSZ0aW1ldGFibGU9MiIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9hcHAvcmVwb3J0cyIsIiRlbGVtZW50cyI6IFsKICAgIHsiY2xhc3NlcyI6IFsKICAgICJkYXRlX3BpY2tlci1sYWJlbF9yYW5nZSIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZGF0ZV9waWNrZXItbGFiZWxfcmFuZ2UiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRhdGVfcGlja2VyLWxhYmVsX2RhdGUiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImRhdGVfcGlja2VyLWxhYmVsX2RhdGUiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRhdGVfcGlja2VyLWxhYmVsIgpdLCJ0YWdfbmFtZSI6ICJzcGFuIiwiYXR0cl9fY2xhc3MiOiAiZGF0ZV9waWNrZXItbGFiZWwiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImFic3RyYWN0X2xpbmsiLAogICAgImRhdGVfcGlja2VyLWxpbmsiLAogICAgImFic3RyYWN0X2xpbmstYnV0dG9uIgpdLCJ0YWdfbmFtZSI6ICJidXR0b24iLCJhdHRyX190eXBlIjogImJ1dHRvbiIsImF0dHJfX2NsYXNzIjogImFic3RyYWN0X2xpbmsgZGF0ZV9waWNrZXItbGluayBhYnN0cmFjdF9saW5rLWJ1dHRvbiIsImF0dHJfX3RpdGxlIjogIk9wZW4gQ2FsZW5kYXIiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImRhdGVfcGlja2VyIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJkYXRlX3BpY2tlciIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicGFnZV90aXRsZS1hY3Rpb25zIgpdLCJ0YWdfbmFtZSI6ICJuYXYiLCJhdHRyX19jbGFzcyI6ICJwYWdlX3RpdGxlLWFjdGlvbnMiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgInBhZ2VfdGl0bGUiLAogICAgImlzLW1vYmlsZV90d29fbGluZXMiCl0sInRhZ19uYW1lIjogImhlYWRlciIsImF0dHJfX2NsYXNzIjogInBhZ2VfdGl0bGUgaXMtbW9iaWxlX3R3b19saW5lcyIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAicGFnZV93cmFwcGVyIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJwYWdlX3dyYXBwZXIiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImFwcC1tYWluIgpdLCJ0YWdfbmFtZSI6ICJtYWluIiwiYXR0cl9fY2xhc3MiOiAiYXBwLW1haW4iLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImFwcCIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiYXBwIiwibnRoX2NoaWxkIjogMiwibnRoX29mX3R5cGUiOiAyfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJ1aSIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fZGF0YS1yZWFjdHJvb3QiOiAiIiwiYXR0cl9fY2xhc3MiOiAidWkiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImxheW91dC1jYW52YXMiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImxheW91dC1jYW52YXMiLCJhdHRyX19pZCI6ICJjYW52YXMiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImxheW91dC1ib2R5IgpdLCJ0YWdfbmFtZSI6ICJib2R5IiwiYXR0cl9fY2xhc3MiOiAibGF5b3V0LWJvZHkiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9Cl0sIiRlbF90ZXh0IjogIkp1biAyNHRoIOKAlCBKdW4gMzB0aCIsInRva2VuIjogIjI5YWJjZTQ3MjI1MWZmZWUyODlkMDJiNDc4ZDc5YzI0IiwiJF9fYyI6IDF9fQ%3D%3D&ip=1&_=1498863371763

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJMb2FkZWQgYSBQYWdlIiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL2FwcC9yZXBvcnRzP3N0YXJ0PTIwMTctMDYtMDEmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MjEwMjkmY2hhcnQ9MiZ0aW1ldGFibGU9MSIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCJuYW1lIjogInJlcG9ydHMiLCJwYXRoIjogIi9hcHAvcmVwb3J0cyIsInJlZmVycmVyIjogIiIsInNlYXJjaCI6ICI%2Fc3RhcnQ9MjAxNy0wNi0wMSZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yMTAyOSZjaGFydD0yJnRpbWV0YWJsZT0xIiwidGl0bGUiOiAiUmVwb3J0cyB8IFRvcFRyYWNrZXIiLCJ1cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0wMSZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yMTAyOSZjaGFydD0yJnRpbWV0YWJsZT0xIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQiLCIkX19jIjogMH19&ip=1&_=1498863445365

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJtcF9wYWdlX3ZpZXciLCJwcm9wZXJ0aWVzIjogeyIkb3MiOiAiTWFjIE9TIFgiLCIkYnJvd3NlciI6ICJDaHJvbWUiLCIkcmVmZXJyZXIiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vP2VtYWlsPWhkc3BlZWRmcmVhayU0MGdtYWlsLmNvbSZwYXNzd29yZD1meGRsOTcmcmVtZW1iZXJfbWU9b24iLCIkcmVmZXJyaW5nX2RvbWFpbiI6ICJ0cmFja2VyLnRvcHRhbC5jb20iLCIkY3VycmVudF91cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vc2lnbmluIiwiJGJyb3dzZXJfdmVyc2lvbiI6IDU5LCIkc2NyZWVuX2hlaWdodCI6IDEwODAsIiRzY3JlZW5fd2lkdGgiOiAxOTIwLCJtcF9saWIiOiAiU2VnbWVudDogd2ViIiwiJGxpYl92ZXJzaW9uIjogIjIuMTIuMCIsImRpc3RpbmN0X2lkIjogInRyYWNrZXItMTA4NDMiLCIkaW5pdGlhbF9yZWZlcnJlciI6ICIkZGlyZWN0IiwiJGluaXRpYWxfcmVmZXJyaW5nX2RvbWFpbiI6ICIkZGlyZWN0IiwibXBfbmFtZV90YWciOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsImlkIjogInRyYWNrZXItMTA4NDMiLCIkZW1haWwiOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsIiRmaXJzdF9uYW1lIjogIkJlcm50IiwiJGxhc3RfbmFtZSI6ICJHdWRtZXN0YWQiLCIkbmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJkaXNwbGF5TmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJzb3VyY2UiOiAid2ViIiwiYXZhdGFyIjogeyJ0eXBlIjogImF2YXRhciIsImltYWdlX3VybCI6ICJodHRwczovL3NlY3VyZS5ncmF2YXRhci5jb20vYXZhdGFyL2ZiOWQyODQwODE4NTkyMmQxOTRkNzIzNjMwNDY3ZjQ1P2Q9YmxhbmsifSwidXNlZF9kZXNrdG9wIjogdHJ1ZSwidXNlZF93ZWIiOiB0cnVlLCJsYXN0X2FjdGl2aXR5X3RpbWUiOiAiMjAxNy0wNi0wNVQwMDowMDowMC4wMDBaIiwic2VudF9pbnZpdGF0aW9uc19jb3VudCI6IDAsInJlYWxfc2lnbmVkX3VwIjogIjIwMTYtMTEtMThUMDA6MDA6MDAuMDAwWiIsInByb2plY3RzX2NvdW50IjogMTIsIm1wX3BhZ2UiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vc2lnbmluIiwibXBfcmVmZXJyZXIiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vP2VtYWlsPWhkc3BlZWRmcmVhayU0MGdtYWlsLmNvbSZwYXNzd29yZD1meGRsOTcmcmVtZW1iZXJfbWU9b24iLCJtcF9icm93c2VyIjogIkNocm9tZSIsIm1wX3BsYXRmb3JtIjogIk1hYyBPUyBYIiwidG9rZW4iOiAiMjlhYmNlNDcyMjUxZmZlZTI4OWQwMmI0NzhkNzljMjQifX0%3D&ip=1&_=1498863349822

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICJ0cmFja2VyLXJlcG9ydHNfc2V0dGluZ3MiLCJwcm9wZXJ0aWVzIjogeyIkb3MiOiAiTWFjIE9TIFgiLCIkYnJvd3NlciI6ICJDaHJvbWUiLCIkY3VycmVudF91cmwiOiAiaHR0cHM6Ly90cmFja2VyLnRvcHRhbC5jb20vYXBwL3JlcG9ydHM%2Fc3RhcnQ9MjAxNy0wNi0wMSZlbmQ9MjAxNy0wNi0zMCZ3b3JrZXJzPWFsbCZwcm9qZWN0cz0yMTAyOSZjaGFydD0xJnRpbWV0YWJsZT0xIiwiJGJyb3dzZXJfdmVyc2lvbiI6IDU5LCIkc2NyZWVuX2hlaWdodCI6IDEwODAsIiRzY3JlZW5fd2lkdGgiOiAxOTIwLCJtcF9saWIiOiAiU2VnbWVudDogd2ViIiwiJGxpYl92ZXJzaW9uIjogIjIuMTIuMCIsImRpc3RpbmN0X2lkIjogInRyYWNrZXItMTA4NDMiLCIkaW5pdGlhbF9yZWZlcnJlciI6ICIkZGlyZWN0IiwiJGluaXRpYWxfcmVmZXJyaW5nX2RvbWFpbiI6ICIkZGlyZWN0IiwibXBfbmFtZV90YWciOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsImlkIjogInRyYWNrZXItMTA4NDMiLCIkZW1haWwiOiAiaGRzcGVlZGZyZWFrQGdtYWlsLmNvbSIsIiRmaXJzdF9uYW1lIjogIkJlcm50IiwiJGxhc3RfbmFtZSI6ICJHdWRtZXN0YWQiLCIkbmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJkaXNwbGF5TmFtZSI6ICJCZXJudCBHdWRtZXN0YWQiLCJzb3VyY2UiOiAid2ViIiwiYXZhdGFyIjogeyJ0eXBlIjogImF2YXRhciIsImltYWdlX3VybCI6ICJodHRwczovL3NlY3VyZS5ncmF2YXRhci5jb20vYXZhdGFyL2ZiOWQyODQwODE4NTkyMmQxOTRkNzIzNjMwNDY3ZjQ1P2Q9YmxhbmsifSwidXNlZF9kZXNrdG9wIjogdHJ1ZSwidXNlZF93ZWIiOiB0cnVlLCJsYXN0X2FjdGl2aXR5X3RpbWUiOiAiMjAxNy0wNi0wNVQwMDowMDowMC4wMDBaIiwic2VudF9pbnZpdGF0aW9uc19jb3VudCI6IDAsInJlYWxfc2lnbmVkX3VwIjogIjIwMTYtMTEtMThUMDA6MDA6MDAuMDAwWiIsInByb2plY3RzX2NvdW50IjogMTIsImRhdGVSYW5nZSI6IDMwLCJzdGFydERhdGUiOiAiMjAxNy0wNi0wMVQwMDowMDowMC4wMDBaIiwiZW5kRGF0ZSI6ICIyMDE3LTA2LTMwVDAwOjAwOjAwLjAwMFoiLCJudW1iZXJPZlByb2plY3RzIjogMSwibnVtYmVyT2ZXb3JrZXJzIjogNCwiZG9jdW1lbnRUaXRsZSI6ICJSZXBvcnRzIHwgVG9wVHJhY2tlciIsInVybCI6ICJodHRwczovL3RyYWNrZXIudG9wdGFsLmNvbS9hcHAvcmVwb3J0cz9zdGFydD0yMDE3LTA2LTAxJmVuZD0yMDE3LTA2LTMwJndvcmtlcnM9YWxsJnByb2plY3RzPTIxMDI5JmNoYXJ0PTEmdGltZXRhYmxlPTEiLCJ1cmxTZWFyY2giOiAiP3N0YXJ0PTIwMTctMDYtMDEmZW5kPTIwMTctMDYtMzAmd29ya2Vycz1hbGwmcHJvamVjdHM9MjEwMjkmY2hhcnQ9MSZ0aW1ldGFibGU9MSIsInRpbWVab25lIjogIkFtZXJpY2EvTG9zX0FuZ2VsZXMiLCJ1c2VyX2FnZW50IjogeyJjbGllbnQiOiAiV2ViIiwib3NfdHlwZSI6ICJtYWMiLCJicm93c2VyX3R5cGUiOiAiY2hyb21lIn0sInRva2VuIjogIjI5YWJjZTQ3MjI1MWZmZWUyODlkMDJiNDc4ZDc5YzI0IiwiJF9fYyI6IDB9fQ%3D%3D&ip=1&_=1498863436824

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.mixpanel.com/track/?data=eyJldmVudCI6ICIkd2ViX2V2ZW50IiwicHJvcGVydGllcyI6IHsiJG9zIjogIk1hYyBPUyBYIiwiJGJyb3dzZXIiOiAiQ2hyb21lIiwiJGN1cnJlbnRfdXJsIjogImh0dHBzOi8vdHJhY2tlci50b3B0YWwuY29tL3NpZ25pbj9yZXR1cm4tdG89JTJGYXBwJTJGcmVwb3J0cyIsIiRicm93c2VyX3ZlcnNpb24iOiA1OSwiJHNjcmVlbl9oZWlnaHQiOiAxMDgwLCIkc2NyZWVuX3dpZHRoIjogMTkyMCwibXBfbGliIjogIlNlZ21lbnQ6IHdlYiIsIiRsaWJfdmVyc2lvbiI6ICIyLjEyLjAiLCJkaXN0aW5jdF9pZCI6ICJ0cmFja2VyLTEwODQzIiwiJGluaXRpYWxfcmVmZXJyZXIiOiAiJGRpcmVjdCIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAiJGRpcmVjdCIsIm1wX25hbWVfdGFnIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCJpZCI6ICJ0cmFja2VyLTEwODQzIiwiJGVtYWlsIjogImhkc3BlZWRmcmVha0BnbWFpbC5jb20iLCIkZmlyc3RfbmFtZSI6ICJCZXJudCIsIiRsYXN0X25hbWUiOiAiR3VkbWVzdGFkIiwiJG5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwiZGlzcGxheU5hbWUiOiAiQmVybnQgR3VkbWVzdGFkIiwic291cmNlIjogIndlYiIsImF2YXRhciI6IHsidHlwZSI6ICJhdmF0YXIiLCJpbWFnZV91cmwiOiAiaHR0cHM6Ly9zZWN1cmUuZ3JhdmF0YXIuY29tL2F2YXRhci9mYjlkMjg0MDgxODU5MjJkMTk0ZDcyMzYzMDQ2N2Y0NT9kPWJsYW5rIn0sInVzZWRfZGVza3RvcCI6IHRydWUsInVzZWRfd2ViIjogdHJ1ZSwibGFzdF9hY3Rpdml0eV90aW1lIjogIjIwMTctMDYtMDVUMDA6MDA6MDAuMDAwWiIsInNlbnRfaW52aXRhdGlvbnNfY291bnQiOiAwLCJyZWFsX3NpZ25lZF91cCI6ICIyMDE2LTExLTE4VDAwOjAwOjAwLjAwMFoiLCJwcm9qZWN0c19jb3VudCI6IDEyLCIkZXZlbnRfdHlwZSI6ICJjbGljayIsIiRjZV92ZXJzaW9uIjogMSwiJGhvc3QiOiAidHJhY2tlci50b3B0YWwuY29tIiwiJHBhdGhuYW1lIjogIi9zaWduaW4iLCIkZWxlbWVudHMiOiBbCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYWJzdHJhY3RfbGluay1sYWJlbCIsCiAgICAiZm9ybV9hY3Rpb25zLWJ1dHRvbiIsCiAgICAic2lnbl9pbi1mb3JtX2FjdGlvbnMtYnV0dG9uLWxhYmVsIgpdLCJ0YWdfbmFtZSI6ICJzcGFuIiwiYXR0cl9fY2xhc3MiOiAiYWJzdHJhY3RfbGluay1sYWJlbCBmb3JtX2FjdGlvbnMtYnV0dG9uIHNpZ25faW4tZm9ybV9hY3Rpb25zLWJ1dHRvbi1sYWJlbCIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYWJzdHJhY3RfbGluayIsCiAgICAiZm9ybV9hY3Rpb25zLWJ1dHRvbiIsCiAgICAic2lnbl9pbi1mb3JtX2FjdGlvbnMtYnV0dG9uIiwKICAgICJhYnN0cmFjdF9saW5rLWJ1dHRvbiIsCiAgICAiaXMtZnVsbF93aWR0aCIsCiAgICAiaXMtYnV0dG9uIiwKICAgICJpcy1idXR0b25fcHJpbWFyeSIsCiAgICAiaXMtYnV0dG9uX3NpemVfYmlnIgpdLCJ0YWdfbmFtZSI6ICJidXR0b24iLCJhdHRyX190eXBlIjogInN1Ym1pdCIsImF0dHJfX2NsYXNzIjogImFic3RyYWN0X2xpbmsgZm9ybV9hY3Rpb25zLWJ1dHRvbiBzaWduX2luLWZvcm1fYWN0aW9ucy1idXR0b24gYWJzdHJhY3RfbGluay1idXR0b24gaXMtZnVsbF93aWR0aCBpcy1idXR0b24gaXMtYnV0dG9uX3ByaW1hcnkgaXMtYnV0dG9uX3NpemVfYmlnIiwiYXR0cl9fdGl0bGUiOiAiU2lnbiBJbiIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiZm9ybV9hY3Rpb25zLWJ1dHRvbl93cmFwcGVyIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJmb3JtX2FjdGlvbnMtYnV0dG9uX3dyYXBwZXIiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImZvcm1fYWN0aW9ucyIsCiAgICAic2lnbl9pbi1mb3JtX2FjdGlvbnMiLAogICAgImhhcy1mdWxsX3dpZHRoX2FjdGlvbiIsCiAgICAiaXMtYmlnIiwKICAgICJpcy1yaWdodCIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAiZm9ybV9hY3Rpb25zIHNpZ25faW4tZm9ybV9hY3Rpb25zIGhhcy1mdWxsX3dpZHRoX2FjdGlvbiBpcy1iaWcgaXMtcmlnaHQiLCJudGhfY2hpbGQiOiA0LCJudGhfb2ZfdHlwZSI6IDN9LAogICAgeyJjbGFzc2VzIjogWwogICAgIm1vZGFsLWNvbnRlbnQiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogIm1vZGFsLWNvbnRlbnQiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgIm1vZGFsIiwKICAgICJoYXMtYmlnX3BhZGRpbmciLAogICAgImlzLXJvdW5kZWQiLAogICAgImlzLW5vX3NoYWRvd19zdHlsZSIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAibW9kYWwgaGFzLWJpZ19wYWRkaW5nIGlzLXJvdW5kZWQgaXMtbm9fc2hhZG93X3N0eWxlIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJhdXRoX21vZGFsIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJhdXRoX21vZGFsIiwibnRoX2NoaWxkIjogMSwibnRoX29mX3R5cGUiOiAxfSwKICAgIHsiY2xhc3NlcyI6IFsKICAgICJzaWduX2luIgpdLCJ0YWdfbmFtZSI6ICJmb3JtIiwiYXR0cl9fY2xhc3MiOiAic2lnbl9pbiIsImF0dHJfX2F1dG9jb21wbGV0ZSI6ICJvbiIsImF0dHJfX2FjdGlvbiI6ICIvIiwiYXR0cl9fdGFyZ2V0IjogImdob3N0X2Zvcm0iLCJhdHRyX19fbHBjaGVja2VkIjogIjEiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImZvcm0iLAogICAgInNpZ25faW4iCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImZvcm0gc2lnbl9pbiIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAiYXV0aC1jb250ZW50IgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19jbGFzcyI6ICJhdXRoLWNvbnRlbnQiLCJudGhfY2hpbGQiOiAzLCJudGhfb2ZfdHlwZSI6IDN9LAogICAgeyJjbGFzc2VzIjogWwogICAgImF1dGgtaW5uZXIiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImF1dGgtaW5uZXIiLCJudGhfY2hpbGQiOiAxLCJudGhfb2ZfdHlwZSI6IDF9LAogICAgeyJjbGFzc2VzIjogWwogICAgImF1dGgiCl0sInRhZ19uYW1lIjogImRpdiIsImF0dHJfX2NsYXNzIjogImF1dGgiLCJudGhfY2hpbGQiOiAyLCJudGhfb2ZfdHlwZSI6IDJ9LAogICAgeyJjbGFzc2VzIjogWwogICAgInVpIgpdLCJ0YWdfbmFtZSI6ICJkaXYiLCJhdHRyX19kYXRhLXJlYWN0cm9vdCI6ICIiLCJhdHRyX19jbGFzcyI6ICJ1aSIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAibGF5b3V0LWNhbnZhcyIKXSwidGFnX25hbWUiOiAiZGl2IiwiYXR0cl9fY2xhc3MiOiAibGF5b3V0LWNhbnZhcyIsImF0dHJfX2lkIjogImNhbnZhcyIsIm50aF9jaGlsZCI6IDEsIm50aF9vZl90eXBlIjogMX0sCiAgICB7ImNsYXNzZXMiOiBbCiAgICAibGF5b3V0LWJvZHkiCl0sInRhZ19uYW1lIjogImJvZHkiLCJhdHRyX19jbGFzcyI6ICJsYXlvdXQtYm9keSIsIm50aF9jaGlsZCI6IDIsIm50aF9vZl90eXBlIjogMX0KXSwiJGVsX3RleHQiOiAiU2lnbiBJbiIsIiRmb3JtX2ZpZWxkX19lbWFpbCI6ICJCbHVlTmlsZVNXIiwiJGZvcm1fZmllbGRfX3JlbWVtYmVyX21lIjogWwogICAgIm9uIgpdLCJ0b2tlbiI6ICIyOWFiY2U0NzIyNTFmZmVlMjg5ZDAyYjQ3OGQ3OWMyNCIsIiRfX2MiOiAyfX0%3D&ip=1&_=1498863344125

    Method

GET

    Parameter

X-Content-Type-Options

Instances

61

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/presence?detailedTelephonyState=true

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/v1.0/account/~/dialing-plan

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/v1.0/dictionary/country/1

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/presence?detailedTelephoneState=true

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/v1.0/subscription

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/message-sync?syncType=ISync&syncToken=AQEAAAAAAwAAAVzaaNd4BgAAAPoFAAABXPrlD5QTAAgAAAAAiz_27AkBCgGxtSaN

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/phone-number?usageType=DirectNumber&page=1&perPage=250

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/active-calls?perPage=100&dateFrom=2017-06-30T19%3A25%3A38.214Z

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/message-sync?dateFrom=2017-06-23T21%3A25%3A37.209Z&syncType=FSync

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/v1.0/subscription/b3b7d97a-fc8c-4152-ab62-41642c1fa8aa

    Method

PUT

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/phone-number?page=1&perPage=250

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/v1.0/account/~

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://api.ringcentral.com/restapi/oauth/token

    Method

POST

    Parameter

X-Content-Type-Options

Instances

14

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/phone-number?page=1&perPage=250

    Method

GET

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/presence?detailedTelephoneState=true

    Method

GET

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/v1.0/dictionary/country/1

    Method

GET

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/phone-number?usageType=DirectNumber&page=1&perPage=250

    Method

GET

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/v1.0/subscription

    Method

POST

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/active-calls?perPage=100&dateFrom=2017-06-30T19%3A25%3A38.214Z

    Method

GET

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/message-sync?syncType=ISync&syncToken=AQEAAAAAAwAAAVzaaNd4BgAAAPoFAAABXPrlD5QTAAgAAAAAiz_27AkBCgGxtSaN

    Method

GET

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/v1.0/subscription/b3b7d97a-fc8c-4152-ab62-41642c1fa8aa

    Method

PUT

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~

    Method

GET

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/message-sync?dateFrom=2017-06-23T21%3A25%3A37.209Z&syncType=FSync

    Method

GET

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/v1.0/account/~/dialing-plan

    Method

GET

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/oauth/token

    Method

POST

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/v1.0/account/~

    Method

GET

    Parameter

Cache-Control

URL

https://api.ringcentral.com/restapi/v1.0/account/~/extension/~/presence?detailedTelephonyState=true

    Method

GET

    Parameter

Cache-Control

Instances

14

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://api.segment.io/v1/i

    Method

POST

    Parameter

Cache-Control

URL

https://api.segment.io/v1/t

    Method

POST

    Parameter

Cache-Control

URL

https://api.segment.io/v1/p

    Method

POST

    Parameter

Cache-Control

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://api.segment.io/v1/i

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://api.segment.io/v1/p

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://api.segment.io/v1/t

    Method

POST

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://api.trello.com/1/board/58b0cf42257d830628751f5d/checkItems?key=c353aea012edca7d1b850ab522153e17&token=c1b894c6885fd7defa3cf07b8eeb41d2273d762fde8e088ec8aea5fe6c64a6df

    Method

GET

    Parameter

lang

    Evidence

Set-Cookie: lang

URL

https://api.trello.com/1/

    Method

GET

    Parameter

lang

    Evidence

Set-Cookie: lang

Instances

2

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://api.trello.com/1/

    Method

GET

    Parameter

lang

    Evidence

Set-Cookie: lang

URL

https://api.trello.com/1/batch?urls=/board/581281c8a470fbda670c2241/cards?fields=id,name,/board/58b0cf42257d830628751f5d/cards?fields=id,name&key=c353aea012edca7d1b850ab522153e17&token=c1b894c6885fd7defa3cf07b8eeb41d2273d762fde8e088ec8aea5fe6c64a6df

    Method

GET

    Parameter

dsc

    Evidence

Set-Cookie: dsc

URL

https://api.trello.com/1/board/58b0cf42257d830628751f5d/checkItems?key=c353aea012edca7d1b850ab522153e17&token=c1b894c6885fd7defa3cf07b8eeb41d2273d762fde8e088ec8aea5fe6c64a6df

    Method

GET

    Parameter

lang

    Evidence

Set-Cookie: lang

URL

https://api.trello.com/1/

    Method

GET

    Parameter

dsc

    Evidence

Set-Cookie: dsc

Instances

4

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Content-Type Header Missing

Description

The Content-Type header was either missing or empty.

URL

https://api.userstyles.org/tic/stats

    Method

POST

Instances

1

Solution

Ensure each page is setting the specific and appropriate content-type value for the content being delivered.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

CWE Id

345

WASC Id

12

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://api.userstyles.org/tic/stats

    Method

POST

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://api.userstyles.org/tic/stats

    Method

POST

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://apidata.googleusercontent.com/caldav/v2/bernt%40bluenilesw.com/

    Method

PROPFIND

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://apidata.googleusercontent.com/caldav/v2/cln2stbjc4hmgrrcd5i62ua0ctp6utbg5pr2sor1dhimsp31e8n6errfctm6abj3dtmg%40virtual/events/

    Method

REPORT

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://apidata.googleusercontent.com/caldav/v2/bernt%40bluenilesw.com/events/qjgbmkbipp9mtp4ve6ugsnpmkg%40google.com.ics

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://apidata.googleusercontent.com/caldav/v2/bernt%40reddogsw.com/

    Method

PROPFIND

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://apidata.googleusercontent.com/caldav/v2/hdspeedfreak%40gmail.com/

    Method

PROPFIND

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://apidata.googleusercontent.com/caldav/v2/bernt%40bluenilesw.com/events/

    Method

REPORT

    Parameter

Cache-Control

    Evidence

private, max-age=0

Instances

6

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://apikeys.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=3600

URL

https://apikeys.clients6.google.com/v1/projects/galileo-map-view-1487967109796/apiKeys?key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g

    Method

GET

    Parameter

Cache-Control

    Evidence

private

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://apikeys.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

https://apis.google.com/js/googleapis.proxy.js?onload=startup

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/googleapis.proxy.js?onload=startup" async defer></script>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://apis.google.com/_/scs/apps-static/_/ss/k=oz.hovercard.zg968b2m1zur.L.W.O/d=0/rs=AGLTcCPJj0hkdi0AMkRY_CBzgSCv3NYlVQ

    Method

GET

    Parameter

Cache-Control

    Evidence

public, immutable, max-age=31536000

URL

https://apis.google.com/_/scs/apps-static/_/ss/k=oz.plusone.-1053vco59mxfq.L.W.O/d=0/rs=AGLTcCOJWRQJwt1HYZO1phrVoHfeEyeYUQ

    Method

GET

    Parameter

Cache-Control

    Evidence

public, immutable, max-age=31536000

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://app.getpostman.com/api/app_broadcasts?user_id=0&access_token=&count=10&app_version=4.4.1&app_platform=electron

    Method

GET

    Parameter

AWSELB

    Evidence

Set-Cookie: AWSELB

URL

https://app.getpostman.com/api/app_broadcasts?user_id=0&access_token=&count=10&app_version=4.4.1&app_platform=electron

    Method

GET

    Parameter

PHPSESSID

    Evidence

Set-Cookie: PHPSESSID

Instances

2

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://app.getpostman.com/api/electron_updates_auto?channel=prod&current_version=4.4.1&user_id=0&app_id=4c49cf98-d84c-f1c4-b5b9-ee01bc6cbfe2&user_agent=Mozilla%2F5.0%20(Macintosh%3B%20Intel%20Mac%20OS%20X%2010_11_5)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Postman%2F4.4.1%20Chrome%2F47.0.2526.73%20Electron%2F0.36.2%20Safari%2F537.36&platform=OSX

    Method

GET

    Parameter

Cache-Control

URL

https://app.getpostman.com/api/app_broadcasts?user_id=0&access_token=&count=10&app_version=4.4.1&app_platform=electron

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache="set-cookie"

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://app.getpostman.com/api/electron_updates_auto?channel=prod&current_version=4.4.1&user_id=0&app_id=4c49cf98-d84c-f1c4-b5b9-ee01bc6cbfe2&user_agent=Mozilla%2F5.0%20(Macintosh%3B%20Intel%20Mac%20OS%20X%2010_11_5)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Postman%2F4.4.1%20Chrome%2F47.0.2526.73%20Electron%2F0.36.2%20Safari%2F537.36&platform=OSX

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://app.getpostman.com/api/app_broadcasts?user_id=0&access_token=&count=10&app_version=4.4.1&app_platform=electron

    Method

GET

    Parameter

X-Content-Type-Options

Instances

2

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://app.getpostman.com/api/app_broadcasts?user_id=0&access_token=&count=10&app_version=4.4.1&app_platform=electron

    Method

GET

    Parameter

PHPSESSID

    Evidence

Set-Cookie: PHPSESSID

URL

https://app.getpostman.com/api/app_broadcasts?user_id=0&access_token=&count=10&app_version=4.4.1&app_platform=electron

    Method

GET

    Parameter

AWSELB

    Evidence

Set-Cookie: AWSELB

Instances

2

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://app.igodigital.com/api/v2/organization/7237177/item_types?api_key=d570a00e-3a74-403f-b804-07388492538

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://app.igodigital.com/api/v2/organization/7237177/item_types?api_key=d570a00e-3a74-403f-b804-07388492538

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://appexchange.salesforce.com/resource/1498059124000/uilib/css/styleAppex.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public

URL

https://appexchange.salesforce.com/resource/1498059124000/uilib/css/styleComty3.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public

URL

https://appexchange.salesforce.com/resource/1498059124000/uilib/css/styleComty2.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public

URL

https://appexchange.salesforce.com/pixel?type=twitter&comingPage=AppExchangeLayout

    Method

GET

    Parameter

Cache-Control

    Evidence

must-revalidate, max-age=0,s-maxage=0

URL

https://appexchange.salesforce.com/resource/1498059125000/uilibfonts/styleNormalize.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public

URL

https://appexchange.salesforce.com/pixel?type=adwords&comingPage=AppExchangeLayout

    Method

GET

    Parameter

Cache-Control

    Evidence

must-revalidate, max-age=0,s-maxage=0

URL

https://appexchange.salesforce.com/pixel?type=linkedin&comingPage=AppExchangeLayout

    Method

GET

    Parameter

Cache-Control

    Evidence

must-revalidate, max-age=0,s-maxage=0

URL

https://appexchange.salesforce.com/pixel?type=doubleclick&comingPage=HomePage

    Method

GET

    Parameter

Cache-Control

    Evidence

must-revalidate, max-age=0,s-maxage=0

URL

https://appexchange.salesforce.com/resource/1498059124000/uilib/css/styleComty1.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public

URL

https://appexchange.salesforce.com/pixel?type=facebook&comingPage=AppExchangeLayout

    Method

GET

    Parameter

Cache-Control

    Evidence

must-revalidate, max-age=0,s-maxage=0

Instances

10

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://appexchange.salesforce.com/resource/1498059124000/uilib/css/styleComty2.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/pixel?type=adwords&comingPage=AppExchangeLayout

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/resource/1498059125000/uilibfonts/styleNormalize.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/pixel?type=twitter&comingPage=AppExchangeLayout

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/components

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/resource/1498059124000/uilib/css/styleAppex.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/faces/a4j/g/3_3_3.Finalorg.ajax4jsf.javascript.AjaxScript?rel=1498687241000

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/results?type=Component&keywords=shopify

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/resource/1498059124000/uilib/js/omniture_appexchange.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/resource/1498059124000/uilib/css/styleComty1.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/resource/1498059124000/uilib/js/appxBodyCombined.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/jslibrary/1497647512000/sfdc/VFState.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/resource/1498059125000/uilibfonts/SalesforceSans-Regular.woff

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/pixel?type=linkedin&comingPage=AppExchangeLayout

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/pixel?type=doubleclick&comingPage=HomePage

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/resource/1498059124000/uilib/css/styleComty3.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/pixel?type=facebook&comingPage=AppExchangeLayout

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/results?keywords=shopify

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/static/111213/js/picklist4.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://appexchange.salesforce.com/jslibrary/1497647512000/sfdc/VFRemote.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

25

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://apps.shopify.com/integrations/salesforce

    Method

GET

    Parameter

last_shop_id

    Evidence

Set-Cookie: last_shop_id

Instances

1

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://apps.shopify.com/assets/application-6193017196307474fd8a1dc3eae3c105.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://apps.shopify.com/assets/shopify-assets/ProximaNova-Light-webfont-ea68fb909b9533552e8b686641b83d5d.woff

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://apps.shopify.com/assets/shopify-assets/Proxima_Nova_Sbold-webfont-40ebe48e87076e3d5e0832042551a092.woff

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://apps.shopify.com/assets/application-991ec3b6d42351af8d7fdf99821a4a15.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://apps.shopify.com/assets/shopify-assets/ProximaNova-Reg-webfont-54aa3f8d9424439d7683e8af547547c9.woff

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://apps.shopify.com/assets/shopify-assets/ss-social-circle-ef76cd14610e9abd7eccd93e338feddf.woff

    Method

GET

    Parameter

X-Content-Type-Options

Instances

6

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://apps.shopify.com/assets/application-6193017196307474fd8a1dc3eae3c105.css

    Method

GET

    Parameter

Cache-Control

URL

https://apps.shopify.com/integrations/salesforce

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://apps.shopify.com/integrations/salesforce

    Method

GET

    Parameter

//ajax.googleapis.com/ajax/libs/jquery/1.8/jquery.min.js

    Evidence

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.8/jquery.min.js"></script>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://assets.onestore.ms/cdnfiles/external/mwf/long/v1/v1.23.2/css/uhf-west-european-default.min.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://assets.pinterest.com/js/pinit.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://assets.pinterest.com/js/pinit_main.js?0.20621643389896205

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://assets.pinterest.com/js/pinit_main.js?0.7542706216679371

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

GET

    Parameter

xt_0d95e

    Evidence

Set-Cookie: xt_0d95e

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

POST

    Parameter

akgtm

    Evidence

Set-Cookie: akgtm

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

GET

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

GET

    Parameter

JSESSIONID

    Evidence

Set-Cookie: JSESSIONID

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmembers.s7.exacttarget.com%2fInit.aspx

    Method

GET

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmembers.s7.exacttarget.com%2fInit.aspx

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

POST

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

POST

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

POST

    Parameter

CASPRIVACY

    Evidence

Set-Cookie: CASPRIVACY

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmembers.s7.exacttarget.com%2fInit.aspx

    Method

GET

    Parameter

WL

    Evidence

Set-Cookie: WL

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

POST

    Parameter

ETIDV

    Evidence

Set-Cookie: ETIDV

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

GET

    Parameter

WL

    Evidence

Set-Cookie: WL

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

GET

    Parameter

akgtm

    Evidence

Set-Cookie: akgtm

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

POST

    Parameter

CASTGC

    Evidence

Set-Cookie: CASTGC

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmembers.s7.exacttarget.com%2fInit.aspx

    Method

GET

    Parameter

akgtm

    Evidence

Set-Cookie: akgtm

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

POST

    Parameter

stack

    Evidence

Set-Cookie: stack

Instances

17

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmembers.s7.exacttarget.com%2fInit.aspx

    Method

GET

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

GET

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

POST

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

Instances

3

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://auth.s1.exacttarget.com/hub-cas/login?service=https%3a%2f%2fmc.exacttarget.com%2fcloud%2flogin.html%3fhash%3dOrEn1bG9nZ2VkLWluSXc9PQ2

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://az416426.vo.msecnd.net/scripts/a/ai.0.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://az725175.vo.msecnd.net/scripts/jsll-4.1.0.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://b4g.baydin.com/inline-manage/managed-thread-ids?email=bernt%40bluenilesw.com&uid=4782379042365903

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://b4g.baydin.com/inline-manage/managed-thread-ids?email=hdspeedfreak%40gmail.com&uid=9467107089036428

    Method

GET

    Parameter

X-Content-Type-Options

Instances

2

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://b4g.baydin.com/inline-manage/managed-thread-ids?email=hdspeedfreak%40gmail.com&uid=9467107089036428

    Method

GET

    Parameter

Cache-Control

URL

https://b4g.baydin.com/inline-manage/managed-thread-ids?email=bernt%40bluenilesw.com&uid=4782379042365903

    Method

GET

    Parameter

Cache-Control

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://bam.nr-data.net/1/1c1a92ab77?a=12471964&sa=1&pl=1498841837253&v=768.2acc9fa&t=Unnamed%20Transaction&be=2618&fe=12781&dc=1433&f=%5B%22err%22,%22xhr%22,%22stn%22%5D&perf=%7B%22timing%22:%7B%22of%22:1498841837253,%22n%22:0,%22u%22:2097,%22ue%22:2118,%22dl%22:2145,%22di%22:3574,%22ds%22:3575,%22de%22:4057,%22dc%22:15397,%22l%22:15397,%22le%22:15485,%22f%22:0,%22dn%22:0,%22dne%22:0,%22c%22:25,%22ce%22:543,%22s%22:25,%22rq%22:544,%22rp%22:2090,%22rpe%22:2104%7D,%22navigation%22:%7B%22ty%22:1%7D%7D&jsonp=NREUM.setToken

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://bam.nr-data.net/1/fa45dcf839?a=72894&v=1039.bef6007&to=dl8KQUReDl4AEE1BVFRCB10ZWAxGAAUQU0VcXwpG&rst=8387&ref=https://apps.shopify.com/integrations/salesforce&qt=2&ap=362&be=2509&fe=6771&dc=3455&perf=%7B%22timing%22:%7B%22of%22:1498854059980,%22n%22:0,%22f%22:1,%22dn%22:1,%22dne%22:1,%22c%22:51,%22s%22:101,%22ce%22:618,%22rq%22:618,%22rp%22:2128,%22rpe%22:2136,%22dl%22:2177,%22di%22:3405,%22ds%22:3406,%22de%22:3478,%22dc%22:6768,%22l%22:6769,%22le%22:6772%7D,%22navigation%22:%7B%7D%7D&jsonp=NREUM.setToken

    Method

GET

    Parameter

X-Content-Type-Options

Instances

2

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://beacon.krxd.net/optout_check?callback=Krux.ns.sfdc_us.kxjsonp_optOutCheck

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://bootstrap.livefyre.com/api/v4/configuration/microsoft.fyre.co/?section=translations&translations.lang_code=en-US&translations.app=identity

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=60

URL

https://bootstrap.livefyre.com/api/v4/configuration/microsoft.fyre.co/site/381623/?section=translations&translations.lang_code=en-US&translations.app=comment-component

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=60

URL

https://bootstrap.livefyre.com/api/v4/configuration/microsoft.fyre.co/site/381623/?section=translations&translations.lang_code=en-US&translations.app=sidenotes

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=60

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://bootstrap.livefyre.com/api/v4/configuration/microsoft.fyre.co/?section=translations&translations.lang_code=en-US&translations.app=identity

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://bootstrap.livefyre.com/api/v4/configuration/microsoft.fyre.co/site/381623/?section=translations&translations.lang_code=en-US&translations.app=sidenotes

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://bootstrap.livefyre.com/api/v4/configuration/microsoft.fyre.co/site/381623/?section=translations&translations.lang_code=en-US&translations.app=comment-component

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://bootstrap.livefyre.com/api/v4/configuration/microsoft.fyre.co/site/381623/?section=translations&translations.lang_code=en-US&translations.app=comment-component

    Method

GET

    Parameter

X-XSS-Protection

URL

https://bootstrap.livefyre.com/api/v4/configuration/microsoft.fyre.co/?section=translations&translations.lang_code=en-US&translations.app=identity

    Method

GET

    Parameter

X-XSS-Protection

URL

https://bootstrap.livefyre.com/api/v4/configuration/microsoft.fyre.co/site/381623/?section=translations&translations.lang_code=en-US&translations.app=sidenotes

    Method

GET

    Parameter

X-XSS-Protection

Instances

3

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://c.microsoft.com/ms.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

SUORG

    Evidence

Set-Cookie: SUORG

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

inst

    Evidence

Set-Cookie: inst

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

SUPRM

    Evidence

Set-Cookie: SUPRM

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

sid

    Evidence

Set-Cookie: sid

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

RSID

    Evidence

Set-Cookie: RSID

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

sid_Client

    Evidence

Set-Cookie: sid_Client

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

clientSrc

    Evidence

Set-Cookie: clientSrc

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

SUCSP

    Evidence

Set-Cookie: SUCSP

Instances

8

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

SUORG

    Evidence

Set-Cookie: SUORG

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

inst

    Evidence

Set-Cookie: inst

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

SUPRM

    Evidence

Set-Cookie: SUPRM

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

SUCSP

    Evidence

Set-Cookie: SUCSP

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

RSID

    Evidence

Set-Cookie: RSID

Instances

5

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://c.na50.content.force.com/secur/contentDoor?startURL=%2Fone%2Fone.app&sid=00D6A00000027Fp%21AQIAQCw3D_ePteCrDzz60o_xMEXPG.PdGd4UWQ4eX0KxZ6v5JFPuY_qSzOQObExBRzKy_Xqx70L06OWjVgxOlC8LBbJCsdYo&skipRedirect=1&lm=CAAAAVz65nmsME8wNkEwMDAwMDAwMDA2AAAA0NsGuROQjL_QIjt-OOvWQMv5NRFsTuXWnhYjJlrdHioC9uTu3YXhotUOahTVljk39IvHH6hW2SibCK04MaPSkug%3D

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://c.s-microsoft.com/static/fonts/segoe-ui/west-european/normal/latest.woff2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://c.s-microsoft.com/static/fonts/segoe-ui/west-european/semilight/latest.woff2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://c.s-microsoft.com/static/fonts/segoe-ui/west-european/light/latest.woff2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://c.s-microsoft.com/static/fonts/segoe-ui/west-european/bold/latest.woff2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://c.s-microsoft.com/static/fonts/segoe-ui/west-european/semibold/latest.woff2

    Method

GET

    Parameter

X-Content-Type-Options

Instances

5

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://c.salesforce.com/login-messages/promos.html

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://c.salesforce.com/login-messages/promos.html

    Method

GET

    Parameter

https://secure.sfdcstatic.com/common/assets/js/min/bg-cover-min.js

    Evidence

<script type="text/javascript" src="https://secure.sfdcstatic.com/common/assets/js/min/bg-cover-min.js"></script>

URL

https://c.salesforce.com/login-messages/promos.html

    Method

GET

    Parameter

https://secure.sfdcstatic.com/common/assets/js/min/header-login-min.js

    Evidence

<script type="text/javascript" src="https://secure.sfdcstatic.com/common/assets/js/min/header-login-min.js"></script>

URL

https://c.salesforce.com/login-messages/promos.html

    Method

GET

    Parameter

https://secure.sfdcstatic.com/system/shared/common/assets/thirdparty/mouseflow/mouseflow.js

    Evidence

<script src="https://secure.sfdcstatic.com/system/shared/common/assets/thirdparty/mouseflow/mouseflow.js" type="text/javascript" ></script>

URL

https://c.salesforce.com/login-messages/promos.html

    Method

GET

    Parameter

https://secure.sfdcstatic.com/common/assets/js/min/footer-login-min.js

    Evidence

<script type="text/javascript" src="https://secure.sfdcstatic.com/common/assets/js/min/footer-login-min.js"></script>

Instances

4

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://c.salesforce.com/login-messages/promos.html

    Method

GET

    Parameter

JSESSIONID

    Evidence

Set-Cookie: JSESSIONID

Instances

1

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://c.salesforce.com/login-messages/promos.html

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://c.salesforce.com/login-messages/promos.html

    Method

GET

    Parameter

JSESSIONID

    Evidence

Set-Cookie: JSESSIONID

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://c.salesforce.com/login-messages/promos.html

    Method

GET

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://c1.sfdcstatic.com/etc/salesforce/ptb/data/k/w/00D610000008Ckw.json

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://c1.sfdcstatic.com/etc/salesforce/ptb/data/k/w/00D610000008Ckw.json

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=3600

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://cas.criteo.com/delivery/afr.php?ptv=18&abp=1&zoneid=388248&cb=38278157350&nodis=1&charset=UTF-8&dc=3&atfr=0&loc=https%3A%2F%2Fteamforcesite.wordpress.com%2F2016%2F07%2F21%2Fintegration-of-salesforce-with-shopify-application%2F

    Method

GET

    Parameter

zdi

    Evidence

Set-Cookie: zdi

Instances

1

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://cas.criteo.com/delivery/afr.php?ptv=18&abp=1&zoneid=388248&cb=38278157350&nodis=1&charset=UTF-8&dc=3&atfr=0&loc=https%3A%2F%2Fteamforcesite.wordpress.com%2F2016%2F07%2F21%2Fintegration-of-salesforce-with-shopify-application%2F

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://cas.criteo.com/delivery/afr.php?ptv=18&abp=1&zoneid=388248&cb=38278157350&nodis=1&charset=UTF-8&dc=3&atfr=0&loc=https%3A%2F%2Fteamforcesite.wordpress.com%2F2016%2F07%2F21%2Fintegration-of-salesforce-with-shopify-application%2F

    Method

GET

    Parameter

zdi

    Evidence

Set-Cookie: zdi

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://cas.criteo.com/delivery/afr.php?ptv=18&abp=1&zoneid=388248&cb=38278157350&nodis=1&charset=UTF-8&dc=3&atfr=0&loc=https%3A%2F%2Fteamforcesite.wordpress.com%2F2016%2F07%2F21%2Fintegration-of-salesforce-with-shopify-application%2F

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://cas.criteo.com/delivery/afr.php?ptv=18&abp=1&zoneid=388248&cb=38278157350&nodis=1&charset=UTF-8&dc=3&atfr=0&loc=https%3A%2F%2Fteamforcesite.wordpress.com%2F2016%2F07%2F21%2Fintegration-of-salesforce-with-shopify-application%2F

    Method

GET

    Parameter

Cache-Control

    Evidence

private

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://cdn.heapanalytics.com/js/heap-3524808533.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://cdn.krxd.net/controltag/rxr05acqt.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://cdn.livefyre.com/libs/Livefyre/v1.1.1/builds/331/Livefyre.min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.livefyre.com/Livefyre.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.livefyre.com/libs/fyre.conv/v3.0.0/livefyre.min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.livefyre.com/libs/sidenotes/v1.6.0/simhash-worker.min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.livefyre.com/libs/identity/v1.1.11/simple/javascripts/customprofiles.min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.livefyre.com/libs/sidenotes/v1.6.0/sidenotes.min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.livefyre.com/libs/sidenotes/v1.6.0/css/fonts/sidenotes.woff

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.livefyre.com/libs/sidenotes/v1.6.0/css/block.css

    Method

GET

    Parameter

X-Content-Type-Options

Instances

8

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://cdn.livefyre.com/libs/sidenotes/v1.6.0/css/block.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, no-transform, public

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://cdn.mxpnl.com/libs/mixpanel-2-latest.min.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://cdn.ravenjs.com/3.14.2/raven.min.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://cdn.segment.com/analytics.js/v1/5bR4SKXbjn1YZocqWVlJKB6W1WvyihLl/analytics.min.js

    Method

GET

    Parameter

//cdn.mxpnl.com/libs/mixpanel-2-latest.min.js

    Evidence

<script src="//cdn.mxpnl.com/libs/mixpanel-2-latest.min.js">

URL

https://cdn.segment.com/analytics.js/v1/5bR4SKXbjn1YZocqWVlJKB6W1WvyihLl/analytics.min.js

    Method

GET

    Parameter

//stats.g.doubleclick.net/dc.js

    Evidence

<script src="//stats.g.doubleclick.net/dc.js">

URL

https://cdn.segment.com/analytics.js/v1/5bR4SKXbjn1YZocqWVlJKB6W1WvyihLl/analytics.min.js

    Method

GET

    Parameter

https://www.fullstory.com/s/fs.js

    Evidence

<script src="https://www.fullstory.com/s/fs.js">

URL

https://cdn.segment.com/analytics.js/v1/5bR4SKXbjn1YZocqWVlJKB6W1WvyihLl/analytics.min.js

    Method

GET

    Parameter

https://ssl.google-analytics.com/ga.js

    Evidence

<script src="https://ssl.google-analytics.com/ga.js">

URL

https://cdn.segment.com/analytics.js/v1/5bR4SKXbjn1YZocqWVlJKB6W1WvyihLl/analytics.min.js

    Method

GET

    Parameter

http://www.google-analytics.com/ga.js

    Evidence

<script src="http://www.google-analytics.com/ga.js">

URL

https://cdn.segment.com/analytics.js/v1/5bR4SKXbjn1YZocqWVlJKB6W1WvyihLl/analytics.min.js

    Method

GET

    Parameter

//www.google-analytics.com/analytics.js

    Evidence

<script src="//www.google-analytics.com/analytics.js">

Instances

6

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://cdn.segment.com/analytics.js/v1/5bR4SKXbjn1YZocqWVlJKB6W1WvyihLl/analytics.min.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://cdn.sstatic.net/Sites/electronics/all.css?v=e7a1eae5b477

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.sstatic.net/Js/snippet-javascript.en.js?v=138b7a0da97b

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.sstatic.net/Js/full-anon.en.js?v=ddef0cc93e46

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.sstatic.net/Js/post-validation.en.js?v=1bbef2e7b0ae

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.sstatic.net/Js/prettify-full.en.js?v=62a4935c1efb

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.sstatic.net/Sites/stackoverflow/all.css?v=79f4fffba578

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.sstatic.net/Js/stub.en.js?v=4a0d73eae37e

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdn.sstatic.net/clc/styles/clc/jobs-multi.min.css?v=ad9aa8940e38

    Method

GET

    Parameter

X-Content-Type-Options

Instances

8

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://cdn.sstatic.net/Js/snippet-javascript.en.js?v=138b7a0da97b

    Method

GET

    Parameter

https://cdnjs.cloudflare.com/ajax/libs/react/*version*/react-dom.min.js

    Evidence

<script src="https://cdnjs.cloudflare.com/ajax/libs/react/*version*/react-dom.min.js"></script>

URL

https://cdn.sstatic.net/Js/snippet-javascript.en.js?v=138b7a0da97b

    Method

GET

    Parameter

https://cdnjs.cloudflare.com/ajax/libs/knockout/*version*/knockout-min.js

    Evidence

<script src="https://cdnjs.cloudflare.com/ajax/libs/knockout/*version*/knockout-min.js"></script>

URL

https://cdn.sstatic.net/Js/snippet-javascript.en.js?v=138b7a0da97b

    Method

GET

    Parameter

https://cdnjs.cloudflare.com/ajax/libs/react/*version*/react.min.js

    Evidence

<script src="https://cdnjs.cloudflare.com/ajax/libs/react/*version*/react.min.js"></script>

URL

https://cdn.sstatic.net/Js/snippet-javascript.en.js?v=138b7a0da97b

    Method

GET

    Parameter

https://ajax.googleapis.com/ajax/libs/jquery/*version*/jquery.min.js

    Evidence

<script src="https://ajax.googleapis.com/ajax/libs/jquery/*version*/jquery.min.js"></script>

URL

https://cdn.sstatic.net/Js/snippet-javascript.en.js?v=138b7a0da97b

    Method

GET

    Parameter

https://ajax.googleapis.com/ajax/libs/angularjs/*version*/angular.min.js

    Evidence

<script src="https://ajax.googleapis.com/ajax/libs/angularjs/*version*/angular.min.js"></script>

URL

https://cdn.sstatic.net/Js/snippet-javascript.en.js?v=138b7a0da97b

    Method

GET

    Parameter

https://cdnjs.cloudflare.com/ajax/libs/d3/*version*/d3.min.js

    Evidence

<script src="https://cdnjs.cloudflare.com/ajax/libs/d3/*version*/d3.min.js"></script>

Instances

6

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://cdn.sstatic.net/Sites/electronics/all.css?v=e7a1eae5b477

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=604800

URL

https://cdn.sstatic.net/Sites/stackoverflow/all.css?v=79f4fffba578

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=604800

URL

https://cdn.sstatic.net/clc/styles/clc/jobs-multi.min.css?v=ad9aa8940e38

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=604800

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://cdn.tt.omtrdc.net/cdn/target.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/jax/output/HTML-CSS/fonts/STIX/fontdata.js?V=2.7.1

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdnjs.cloudflare.com/ajax/libs/jquery-scrolldepth/0.9.1/jquery.scrolldepth.min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS_HTML-full

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/config/TeX-AMS_HTML-full.js?V=2.7.1

    Method

GET

    Parameter

X-Content-Type-Options

Instances

4

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://cello.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22cello%22%2C%224%22%3A%22appscommonstorage%22%2C%228%22%3Afalse%2C%2213%22%3Atrue%7D&ctype=cello&sw=true&xpc=%7B%22cn%22%3A%229ljBhyvlXo%22%2C%22ppu%22%3A%22https%3A%2F%2Fdrive.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fcello.client-channel.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://cello.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22cello%22%2C%224%22%3A%22appscommonstorage%22%2C%228%22%3Afalse%2C%2213%22%3Atrue%7D&ctype=cello&sw=true&xpc=%7B%22cn%22%3A%22ANbuqYeh4V%22%2C%22ppu%22%3A%22https%3A%2F%2Fdrive.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fcello.client-channel.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://cello.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22cello%22%2C%224%22%3A%22appscommonstorage%22%2C%228%22%3Afalse%2C%2213%22%3Atrue%7D&ctype=cello&sw=true&xpc=%7B%22cn%22%3A%22ANbuqYeh4V%22%2C%22ppu%22%3A%22https%3A%2F%2Fdrive.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fcello.client-channel.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

https://apis.google.com/js/api.js

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/api.js"></script>

URL

https://cello.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22cello%22%2C%224%22%3A%22appscommonstorage%22%2C%228%22%3Afalse%2C%2213%22%3Atrue%7D&ctype=cello&sw=true&xpc=%7B%22cn%22%3A%229ljBhyvlXo%22%2C%22ppu%22%3A%22https%3A%2F%2Fdrive.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fcello.client-channel.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

https://apis.google.com/js/api.js

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/api.js"></script>

Instances

2

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://cfl.dropboxstatic.com/static/compiled/js/langpack/en.json?17347

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=86400

URL

https://cfl.dropboxstatic.com/static/css/preview_flexbox_layout-vflAFdMv4.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/components/button-vflQd_sRP.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/growth/shared_link_signup_modals-vflUAD5s_.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/preview_toolbar-vfl7MLyE1.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/shared_link_file-vflCJUoND.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/foundation-vflaLNUzr.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/components/login_form-vflR7-5rJ.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/recaptcha_v2_challenge-vflLfwbvt.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/preview_linkfile-vflzpnXCF.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/sprites/web_sprites-vflv2MHAO.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/preview_pdf-vflJvc9jB.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/react_file_viewer-vflViiJpy.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/deprecated/components/multiaccount_login_modal-vflNhUM8J.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/maestro_layout-vflQJQrIr.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/preview_archive-vflWdNToO.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/comments-vflTI-IVh.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/react_title_bar-vflTTXA_c.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/preview_error-vflB873Lq.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

URL

https://cfl.dropboxstatic.com/static/css/preview_quality_popup-vflyrlOUZ.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public, immutable

Instances

41

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://cfl.dropboxstatic.com/static/fonts/paper-atlasgrotesk/AtlasGrotesk-Medium-Web-vfl38XiTL.woff2

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/recaptcha_v2_challenge-vflLfwbvt.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/shared_link_file-vflCJUoND.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/shared_link_page-vflRCtSWz.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/components/button-vflQd_sRP.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/sprites/web_sprites-vflv2MHAO.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/foundation-vflaLNUzr.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/fonts/paper-atlasgrotesk/AtlasGrotesk-Bold-Web-vfl39K48X.woff2

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/fonts/paper-atlasgrotesk/AtlasGrotesk-Regular-Web-vflk7bxjs.woff2

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/deprecated/components/multiaccount_login_modal-vflNhUM8J.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/maestro_layout-vflQJQrIr.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/growth/shared_link_signup_modals-vflUAD5s_.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/login_or_register-vflR1JDlu.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/modal-vfl3a7WF1.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/recaptcha_challenge-vflrcf67y.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/growth/bright_modal-vfltS1uv-.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/legacy_packages/components-vflx47Eei.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/compiled/js/langpack/en.json?17347

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/fonts/roboto/Roboto-Medium-webfont-vflGvvuWg.woff2

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

URL

https://cfl.dropboxstatic.com/static/css/components/exp_cards-vflriIPxd.css

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

Instances

27

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://clc.stackoverflow.com/markup.js?omni=Au5chP3yv9QIAAAAAPOduAACAAAAAgAAAAAiAAAAfHNxbC1zZXJ2ZXItMjAwOHxkYXRldGltZXx2YXJjaGFyfADECzYJsMpzY-Sm&lw=2007&zc=27&pf=11

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://clc.stackoverflow.com/markup.js?omni=AplidrLyv9QIAAAAAIJUEQACAAAAAgAAAAAgAAAAfHNxbHxzcWwtc2VydmVyfHN0cmluZ3xkYXRldGltZXwAuxG7jBze7zwO7g&lw=1383&zc=27&pf=11

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://clc.stackoverflow.com/markup.js?omni=AuXJYHT6v9QIAAAAALFRVQACAAAAAgAAAAAQAAAAfHNxbHxzcWwtc2VydmVyfABnUwkC1ZROiHUL&lw=1524&zc=27&pf=11

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://clientauthconfig.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

https://apis.google.com/js/googleapis.proxy.js?onload=startup

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/googleapis.proxy.js?onload=startup" async defer></script>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://clientauthconfig.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=3600

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://clientmetrics-pa.googleapis.com/v1/projects/drive_ds:log?key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

POST

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://clientmetrics-pa.googleapis.com/v1/projects/drive_ds:log?key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

POST

    Parameter

Cache-Control

    Evidence

private

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://clients1.google.com/tbproxy/af/query?client=Google%20Chrome

    Method

POST

    Parameter

Cache-Control

    Evidence

private

URL

https://clients1.google.com/tbproxy/af/upload?client=Google%20Chrome

    Method

POST

    Parameter

Cache-Control

    Evidence

private

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Secure Pages Include Mixed Content

Description

The page includes mixed content, that is content accessed via HTTP instead of HTTPS.

URL

https://clients2.google.com/service/update2?cup2key=7:1870984208&cup2hreq=c28d9f7b0166280070839a912c52440a41289462c7771e7fb837d90daa3b3593

    Method

POST

    Evidence

http://redirector.gvt1.com/edgedl/release2/AI_aEBVOwk_t/

Instances

1

Solution

A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.

The page must not contain any content that is transmitted over unencrypted HTTP.

This includes content from third party sites.

Other information

tag=url codebase=http://redirector.gvt1.com/edgedl/release2/AI_aEBVOwk_t/

tag=url codebase=http://dl.google.com/release2/AI_aEBVOwk_t/

tag=url codebase=http://www.google.com/dl/release2/AI_aEBVOwk_t/

Reference

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

CWE Id

311

WASC Id

4

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://clients4.google.com/invalidation/lcs/client?authuser=1&service=appscommonstorage&xpc=%7B%22cn%22%3A%22ZsUyMzJF0u%22%2C%22ppu%22%3A%22https%3A%2F%2Fdrive.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fclients4.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://clients4.google.com/invalidation/lcs/client?xpc=%7B%22cn%22%3A%22B4A4I6sYqC%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fclients4.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://clients4.google.com/invalidation/lcs/client?authuser=1&service=appscommonstorage&xpc=%7B%22cn%22%3A%22UcJOl1xclK%22%2C%22ppu%22%3A%22https%3A%2F%2Fdrive.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fclients4.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://clients5.google.com/pagead/drt/ne?di=%5B%2220140509-01%22%2C340%2C0%2C936%5D

    Method

GET

    Parameter

Cache-Control

    Evidence

private

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://clients6.google.com/drive/v2internal/files/0Bx-hE8ReKIUFVGlzdUlXdW9YLWM?openDrive=false&reason=102&syncType=0&errorRecovery=false&fields=kind%2Ctitle%2CmimeType%2CcreatedDate%2CmodifiedDate%2CmodifiedByMeDate%2ClastViewedByMeDate%2CfileSize%2ClastModifyingUser(kind%2C%20displayName%2C%20picture%2C%20permissionId%2C%20emailAddress)%2ChasThumbnail%2CthumbnailVersion%2CiconLink%2Cid%2Cshared%2CsharedWithMeDate%2CuserPermission(role)%2CexplicitlyTrashed%2CquotaBytesUsed%2Cshareable%2Ccopyable%2Csubscribed%2CfolderColor%2ChasChildFolders%2CfileExtension%2CprimarySyncParentId%2CsharingUser(kind%2CdisplayName%2Cpicture%2CpermissionId%2CemailAddress)%2CflaggedForAbuse%2CfolderFeatures%2Cspaces%2CsourceAppId%2Ceditable%2Crecency%2CrecencyReason%2Cversion%2CactionItems%2CteamDriveId%2ChasAugmentedPermissions%2CprimaryDomainName%2CorganizationDisplayName%2CpassivelySubscribed%2CtrashingUser(kind%2CdisplayName%2Cpicture%2CpermissionId%2CemailAddress)%2CtrashedDate%2ChasVisitorPermissions%2CpermissionsSummary(entryCount%2Cvisibility(type%2Cdomain%2CwithLink)%2CselectPermissions(kind%2Cid%2Cname%2CemailAddress%2Cdomain%2Crole%2Ctype%2CphotoLink%2CadditionalRoles))%2Cparents(id)%2Clabels(starred%2Chidden%2Ctrashed%2Crestricted%2Cviewed)%2Cowners(permissionId%2CdisplayName%2Cpicture%2Cdomain%2Ckind)%2Ccapabilities(canCopy%2CcanDownload%2CcanEdit%2CcanAddChildren%2CcanDelete%2CcanRemoveChildren%2CcanShare%2CcanTrash%2CcanRename%2CcanReadTeamDrive%2CcanMoveTeamDriveItem%2CcanMoveItemIntoTeamDrive)&supportsTeamDrives=true&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2beta/apps?fields=items(icons%5Bcategory%3D%27application%27%5D%2Cicons(size%2CiconUrl)%2Cid%2Cname%2CopenUrlTemplate%2CprimaryFileExtensions%2CprimaryMimeTypes%2CproductId%2CrankingInfo%2CsecondaryFileExtensions%2CsecondaryMimeTypes%2Ckind)%2Ckind&appQueryScope=all_webstore&languageCode=en-US&key=AIzaSyBc1bLOZpOtg3-qgMjSQ6pmn6HbE2zjzJg

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=300, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/apps?openDrive=false&reason=304&syncType=0&errorRecovery=false&fields=kind%2CdefaultAppIds%2Citems(kind%2Cid%2CuseByDefault%2Cname%2CopenUrlTemplate%2CprimaryMimeTypes%2CsecondaryMimeTypes%2CcreateUrl%2CcreateInFolderTemplate%2CobjectType%2CsupportsCreate%2CsupportsImport%2CsupportsMultiOpen%2CsupportsOfflineCreate%2Cinstalled%2Cauthorized%2CproductUrl%2CprimaryFileExtensions%2CsecondaryFileExtensions%2CshortDescription%2ClongDescription%2CproductId%2Cremovable%2Cicons(iconUrl%2Csize%2Ccategory)%2Ctype%2CchromeExtensionIds%2CrequiresAuthorizationBeforeOpenWith%2ChasDriveWideScope%2CdriveBranded%2CdriveSource%2CsupportsMobileBrowser%2CsupportsTeamDrives)&languageCode=en-US&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/nextdocpredictions?openDrive=false&reason=920&syncType=0&errorRecovery=false&fields=kind%2Ctag%2Citems(kind%2Cscore%2CexplanationMessage%2Cfile(kind%2Ctitle%2CmimeType%2CcreatedDate%2CmodifiedDate%2CmodifiedByMeDate%2ClastViewedByMeDate%2CfileSize%2ClastModifyingUser(kind%2C%20displayName%2C%20picture%2C%20permissionId%2C%20emailAddress)%2ChasThumbnail%2CthumbnailVersion%2CiconLink%2Cid%2Cshared%2CsharedWithMeDate%2CuserPermission(role)%2CexplicitlyTrashed%2CquotaBytesUsed%2Cshareable%2Ccopyable%2Csubscribed%2CfolderColor%2ChasChildFolders%2CfileExtension%2CprimarySyncParentId%2CsharingUser(kind%2CdisplayName%2Cpicture%2CpermissionId%2CemailAddress)%2CflaggedForAbuse%2CfolderFeatures%2Cspaces%2CsourceAppId%2Ceditable%2Crecency%2CrecencyReason%2Cversion%2CactionItems%2CteamDriveId%2ChasAugmentedPermissions%2CprimaryDomainName%2CorganizationDisplayName%2CpassivelySubscribed%2CtrashingUser(kind%2CdisplayName%2Cpicture%2CpermissionId%2CemailAddress)%2CtrashedDate%2ChasVisitorPermissions%2Cparents(id)%2Clabels(starred%2Chidden%2Ctrashed%2Crestricted%2Cviewed)%2Cowners(permissionId%2CdisplayName%2Cpicture%2Cdomain%2Ckind)%2Ccapabilities(canCopy%2CcanDownload%2CcanEdit%2CcanAddChildren%2CcanDelete%2CcanRemoveChildren%2CcanShare%2CcanTrash%2CcanRename%2CcanReadTeamDrive%2CcanMoveTeamDriveItem%2CcanMoveItemIntoTeamDrive)))&languageCode=en-US&maxResults=5&corpora=default&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/files/0Bx-hE8ReKIUFNGNKczdwcFJtRXc?fields=kind%2Cid%2Ctitle%2CuserPermission(role)%2Cshared%2CalternateLink%2CiconLink%2CprimarySyncParentId%2CteamDriveId%2Ccapabilities(canAddChildren%2CcanEdit%2CcanRemoveChildren%2CcanMoveTeamDriveItem%2CcanMoveItemIntoTeamDrive)&supportsTeamDrives=true&key=AIzaSyBvuuU20zeaBQb-M8WEzJVwxQ1lI4k1cXY

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/files/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/permissions?openDrive=false&reason=112&syncType=0&errorRecovery=false&fields=kind%2Citems(kind%2Ctype%2Cid%2Cname%2CemailAddress%2CwithLink%2CphotoLink%2Crole%2CadditionalRoles%2Cdeleted)%2CnextPageToken&maxResults=100&supportsTeamDrives=true&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/files/0Bx-hE8ReKIUFVGlzdUlXdW9YLWM?fields=kind%2Cid%2Ctitle%2CuserPermission(role)%2Cshared%2CalternateLink%2CiconLink%2CprimarySyncParentId%2CteamDriveId%2Ccapabilities(canAddChildren%2CcanEdit%2CcanRemoveChildren%2CcanMoveTeamDriveItem%2CcanMoveItemIntoTeamDrive)&supportsTeamDrives=true&key=AIzaSyAGzWfHQsxTHRSNkBG0DVRYon-iLYCkzCc

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/about?openDrive=true&reason=301&syncType=0&errorRecovery=false&fields=kind%2Cuser%2CquotaBytesTotal%2CquotaBytesUsed%2CquotaBytesUsedAggregate%2CquotaBytesUsedInTrash%2CquotaBytesByService%2CquotaType%2CrootFolderId%2CdomainSharingPolicy%2ClargestChangeId%2CimportFormats&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/files/0AB-hE8ReKIUFUk9PVA/permissions?openDrive=false&reason=112&syncType=0&errorRecovery=false&fields=kind%2Citems(kind%2Ctype%2Cid%2Cname%2CemailAddress%2CwithLink%2CphotoLink%2Crole%2CadditionalRoles%2Cdeleted)%2CnextPageToken&maxResults=100&supportsTeamDrives=true&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/files?openDrive=false&reason=102&syncType=0&errorRecovery=false&q=trashed%20%3D%20false%20and%20%270Bx-hE8ReKIUFNGNKczdwcFJtRXc%27%20in%20parents&fields=kind%2CnextPageToken%2Citems(kind%2Ctitle%2CmimeType%2CcreatedDate%2CmodifiedDate%2CmodifiedByMeDate%2ClastViewedByMeDate%2CfileSize%2ClastModifyingUser(kind%2C%20displayName%2C%20picture%2C%20permissionId%2C%20emailAddress)%2ChasThumbnail%2CthumbnailVersion%2CiconLink%2Cid%2Cshared%2CsharedWithMeDate%2CuserPermission(role)%2CexplicitlyTrashed%2CquotaBytesUsed%2Cshareable%2Ccopyable%2Csubscribed%2CfolderColor%2ChasChildFolders%2CfileExtension%2CprimarySyncParentId%2CsharingUser(kind%2CdisplayName%2Cpicture%2CpermissionId%2CemailAddress)%2CflaggedForAbuse%2CfolderFeatures%2Cspaces%2CsourceAppId%2Ceditable%2Crecency%2CrecencyReason%2Cversion%2CactionItems%2CteamDriveId%2ChasAugmentedPermissions%2CprimaryDomainName%2CorganizationDisplayName%2CpassivelySubscribed%2CtrashingUser(kind%2CdisplayName%2Cpicture%2CpermissionId%2CemailAddress)%2CtrashedDate%2ChasVisitorPermissions%2Cparents(id)%2Clabels(starred%2Chidden%2Ctrashed%2Crestricted%2Cviewed)%2Cowners(permissionId%2CdisplayName%2Cpicture%2Cdomain%2Ckind)%2Ccapabilities(canCopy%2CcanDownload%2CcanEdit%2CcanAddChildren%2CcanDelete%2CcanRemoveChildren%2CcanShare%2CcanTrash%2CcanRename%2CcanReadTeamDrive%2CcanMoveTeamDriveItem%2CcanMoveItemIntoTeamDrive))%2CincompleteSearch&appDataFilter=NO_APP_DATA&spaces=drive%2Cphotos&maxResults=50&supportsTeamDrives=true&includeTeamDriveItems=true&corpora=default&orderBy=folder%2Ctitle%20asc&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/discovery/v1/apis?name=geocoding_backend&cb=419695

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=300, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/files/0Bx-hE8ReKIUFNGNKczdwcFJtRXc/permissions?openDrive=false&reason=112&syncType=0&errorRecovery=false&fields=kind%2Citems(kind%2Ctype%2Cid%2Cname%2CemailAddress%2CwithLink%2CphotoLink%2Crole%2CadditionalRoles%2Cdeleted)%2CnextPageToken&maxResults=100&supportsTeamDrives=true&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/about?fields=importFormats,kind&key=AIzaSyDVQw45DwoYh632gvsP5vPDqEKvb-Ywnb8

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/youtube/v3/videos?id=lHiBs9S7gB4&part=snippet&alt=json&key=AIzaSyBokvzEPUrkgfws0OrFWkpKkVBVuhRfKpk

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=300, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/settings?openDrive=false&reason=304&syncType=0&errorRecovery=false&namespace=DRIVE_FE&namespace=DRIVE_BE&namespace=PSYNCHO&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/voice/v1/users/@me/account?checkHangoutsCallingPermission=false&key=AIzaSyBokvzEPUrkgfws0OrFWkpKkVBVuhRfKpk&locale=en&alt=protojson

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/about?openDrive=false&reason=304&syncType=0&errorRecovery=false&fields=kind%2Cuser%2CquotaBytesTotal%2CquotaBytesUsed%2CquotaBytesUsedAggregate%2CquotaBytesUsedInTrash%2CquotaBytesByService%2CquotaType%2CrootFolderId%2CdomainSharingPolicy%2ClargestChangeId%2CimportFormats&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/files/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU?fields=kind%2Cid%2Ctitle%2CuserPermission(role)%2Cshared%2CalternateLink%2CiconLink%2CprimarySyncParentId%2CmimeType%2Cparents(id)%2CteamDriveId%2Ccapabilities(canAddChildren%2CcanEdit%2CcanRemoveChildren%2CcanMoveTeamDriveItem%2CcanMoveItemIntoTeamDrive)&supportsTeamDrives=true&key=AIzaSyBvuuU20zeaBQb-M8WEzJVwxQ1lI4k1cXY

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/files/0Bx-hE8ReKIUFVGlzdUlXdW9YLWM/permissions?openDrive=false&reason=112&syncType=0&errorRecovery=false&fields=kind%2Citems(kind%2Ctype%2Cid%2Cname%2CemailAddress%2CwithLink%2CphotoLink%2Crole%2CadditionalRoles%2Cdeleted)%2CnextPageToken&maxResults=100&supportsTeamDrives=true&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

URL

https://clients6.google.com/drive/v2internal/about?fields=importFormats,kind&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0, must-revalidate, no-transform

Instances

31

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://cloudresourcemanager.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

https://apis.google.com/js/googleapis.proxy.js?onload=startup

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/googleapis.proxy.js?onload=startup" async defer></script>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://cloudresourcemanager.clients6.google.com/v1/projects?alt=json&key=AIzaSyD-nhJADgF50b3VFd0BVfOPZqrEpuJQHxQ

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://cloudresourcemanager.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=3600

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://cloudusersettings-pa.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=3600

URL

https://cloudusersettings-pa.clients6.google.com/v1alpha1/settings/FREE_TRIAL_DISMISS_STATE?key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://cloudusersettings-pa.clients6.google.com/v1alpha1/recent/PROJECT?key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g&resourceId=53652206938&%24unique=gc783

    Method

PUT

    Parameter

Cache-Control

    Evidence

private

URL

https://cloudusersettings-pa.clients6.google.com/v1alpha1/recent/PROJECT?key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g&resourceId=galileo-map-view-1487967109796&%24unique=gc783

    Method

PUT

    Parameter

Cache-Control

    Evidence

private

URL

https://cloudusersettings-pa.clients6.google.com/v1alpha1/settings/ALLOW_USER_TRACKING?key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g

    Method

GET

    Parameter

Cache-Control

    Evidence

private

Instances

5

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://cloudusersettings-pa.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

https://apis.google.com/js/googleapis.proxy.js?onload=startup

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/googleapis.proxy.js?onload=startup" async defer></script>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://configuration.apple.com/configurations/pep/config/geo/networkDefaults-osx-10.11.plist

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://configuration.apple.com/configurations/pep/config/geo/networkDefaults-osx-10.11.plist

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=32

URL

https://configuration.apple.com/configurations/pep/config/geo/networkDefaults-osx-10.11.plist

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=23

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://console.developers.google.com/apis/api/geocoding_backend?project=_&pli=1

    Method

GET

    Parameter

//www.gstatic.com/_/pantheon/_/js/k=pantheon.pantheon_module_set.en_US.DZH72F7J6Vo.O/m=core,jsmod_apiui/am=AAB4AwCAABgAUIAYAECBEAbAKQCQKmABAGAYgAgAAAW4AJAQAUg/rt=j/d=1/rs=ADqnUbMOi0qQJUVd48_YSCAlKiVhSEyVZQ

    Evidence

<script src="//www.gstatic.com/_/pantheon/_/js/k=pantheon.pantheon_module_set.en_US.DZH72F7J6Vo.O/m=core,jsmod_apiui/am=AAB4AwCAABgAUIAYAECBEAbAKQCQKmABAGAYgAgAAAW4AJAQAUg/rt=j/d=1/rs=ADqnUbMOi0qQJUVd48_YSCAlKiVhSEyVZQ" nonce="LsuFCKIZtyPBND3Gv75RMOKd2SU"></script>

URL

https://console.developers.google.com/henhouse/?pb=%5B%22hh-0%22%2C%22geocoding_backend%22%2Cnull%2C%5B%5D%2C%22https%3A%2F%2Fdevelopers.google.com%22%2Cnull%2C%5B%5D%2Cnull%2Cnull%2Cnull%2Cnull%2C%5B%5D%5D

    Method

GET

    Parameter

//ajax.googleapis.com/ajax/libs/angular_material/1.1.0/angular-material.min.js

    Evidence

<script src="//ajax.googleapis.com/ajax/libs/angular_material/1.1.0/angular-material.min.js"></script>

Instances

2

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://console.developers.google.com/m/project/galileo-map-view-1487967109796/abusestate

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=300

URL

https://console.developers.google.com/henhouse/?pb=%5B%22hh-0%22%2C%22geocoding_backend%22%2Cnull%2C%5B%5D%2C%22https%3A%2F%2Fdevelopers.google.com%22%2Cnull%2C%5B%5D%2Cnull%2Cnull%2Cnull%2Cnull%2C%5B%5D%5D

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, must-revalidate

URL

https://console.developers.google.com/henhouse/compiled_concat.css

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, must-revalidate

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://content.googleapis.com/drive/v2beta/apps?appQueryScope=ALL_WEBSTORE&fields=items(icons%5Bcategory=%27application%27%5D,id,name,openUrlTemplate,primaryFileExtensions,primaryMimeTypes,productId,rankingInfo,secondaryFileExtensions,secondaryMimeTypes),kind&languageCode=en&key=AIzaSyBc1bLOZpOtg3-qgMjSQ6pmn6HbE2zjzJg

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=300, must-revalidate, no-transform

URL

https://content.googleapis.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=86400

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://d14qd3he45186l.cloudfront.net/ads-search32.html

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://d14qd3he45186l.cloudfront.net/ads-search32.html

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://d14qd3he45186l.cloudfront.net/ads-search32.html

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://d24n15hnbwhuhn.cloudfront.net/libs/amplitude-2.2.0-min.gz.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/css/5e7a0ff1f69817e8d0d6eb5ab18b2cb8/logged-out.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/css/b092944d65df59171f6933c3550c67c5/metamorph-core.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

4

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/css/5e7a0ff1f69817e8d0d6eb5ab18b2cb8/logged-out.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=31536000000

URL

https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/css/b092944d65df59171f6933c3550c67c5/metamorph-core.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=31536000000

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://d3qdfnco3bamip.cloudfront.net/wjs/v3.0.1498169893/javascripts/livefyre_mod_main.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://d3qdfnco3bamip.cloudfront.net/wjs/v3.0.1498169893/javascripts/livefyre_mod_editor_main.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://d3qdfnco3bamip.cloudfront.net/wjs/v3.0.1498169893/css/livefyre_main.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://d3qdfnco3bamip.cloudfront.net/wjs/v3.0.1498169893/javascripts/livefyre_base.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

4

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://d3qdfnco3bamip.cloudfront.net/wjs/v3.0.1498169893/css/livefyre_main.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=2592000

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://d78fikflryjgj.cloudfront.net/lib/snowplow/2.0.0.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://data.livefyre.com/bs3/v3.1/microsoft.fyre.co/381623/MWY1NmVmYzEtZTkwZi02OGRkLWNiMDItMmYyYmEyMTM3M2ZkLWVuLXVz/init

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://data.livefyre.com/bs3/v3.1/microsoft.fyre.co/381623/MDkyYTkxOTYtYzQ1ZC0yNmU1LTVhOTgtM2ZhODk0NjkyNjY2LWVuLXVz/init

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://data.livefyre.com/bs3/v3.1/microsoft.fyre.co/381623/ZWNlZGExNzktZTFmNS0yYTM2LTdlYjktNGU2MjVhOTM2MzAzLWVuLXVz/init

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://data.livefyre.com/bs3/v3.1/microsoft.fyre.co/381623/MDkyYTkxOTYtYzQ1ZC0yNmU1LTVhOTgtM2ZhODk0NjkyNjY2LWVuLXVz/init

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=120, s-maxage=120

URL

https://data.livefyre.com/bs3/v3.1/microsoft.fyre.co/381623/ZWNlZGExNzktZTFmNS0yYTM2LTdlYjktNGU2MjVhOTM2MzAzLWVuLXVz/init

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=120, s-maxage=120

URL

https://data.livefyre.com/bs3/v3.1/microsoft.fyre.co/381623/MWY1NmVmYzEtZTkwZi02OGRkLWNiMDItMmYyYmEyMTM3M2ZkLWVuLXVz/init

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=120, s-maxage=120

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://dc.ads.linkedin.com/collect/?fmt=gif&pid=543

    Method

GET

    Parameter

BizoID

    Evidence

Set-Cookie: BizoID

URL

https://dc.ads.linkedin.com/collect/?fmt=gif&pid=543

    Method

GET

    Parameter

BizoData

    Evidence

Set-Cookie: BizoData

Instances

2

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://dc.ads.linkedin.com/collect/?fmt=gif&pid=543

    Method

GET

    Parameter

BizoCustomSegments

    Evidence

Set-Cookie: BizoCustomSegments

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://dc.services.visualstudio.com/v2/track

    Method

POST

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://developers.google.com/maps/

    Method

GET

    Parameter

Cache-Control

    Evidence

must_revalidate, public, max-age=3600

URL

https://developers.google.com/maps/documentation/geocoding/intro

    Method

GET

    Parameter

Cache-Control

    Evidence

must_revalidate, public, max-age=3600

URL

https://developers.google.com/maps/styles/lhstyles/pricing_card/css/pricing_card.css

    Method

GET

    Parameter

Cache-Control

    Evidence

must_revalidate, public, max-age=3600

URL

https://developers.google.com/_s/getsuggestions?hl=en&s=devsite&c=1

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=600

URL

https://developers.google.com/_s/getsuggestions?hl=en&p=%2Fmaps%2F&s=devsite&c=2

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=600

URL

https://developers.google.com/_s/getsuggestions?hl=en&p=%2Fmaps%2F&s=devsite&c=3

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=600

URL

https://developers.google.com/_static/0fb3bb994f/css/devsite-google-blue.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=604800

URL

https://developers.google.com/maps/styles/tos-cards.css

    Method

GET

    Parameter

Cache-Control

    Evidence

must_revalidate, public, max-age=3600

URL

https://developers.google.com/maps/styles/lhstyles/landing/css/landing.css

    Method

GET

    Parameter

Cache-Control

    Evidence

must_revalidate, public, max-age=3600

URL

https://developers.google.com/_s/getsuggestions?hl=en&s=cloud&c=1

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=600

URL

https://developers.google.com/profile/userhistory

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, private

URL

https://developers.google.com/_s/getsuggestions?hl=en&p=%2Fmaps%2Fdocumentation%2Fgeocoding%2F&s=devsite&c=2

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=600

URL

https://developers.google.com/maps/styles/common.css

    Method

GET

    Parameter

Cache-Control

    Evidence

must_revalidate, public, max-age=3600

URL

https://developers.google.com/_s/getsuggestions?hl=en&p=%2Fmaps%2Fdocumentation%2Fgeocoding%2F&s=devsite&c=3

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=600

Instances

14

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://developers.google.com/maps/documentation/geocoding/intro

    Method

GET

    Parameter

//www.gstatic.com/feedback/api.js

    Evidence

<script async defer src="//www.gstatic.com/feedback/api.js"></script>

URL

https://developers.google.com/maps/

    Method

GET

    Parameter

//www.gstatic.com/feedback/api.js

    Evidence

<script async defer src="//www.gstatic.com/feedback/api.js"></script>

URL

https://developers.google.com/maps/

    Method

GET

    Parameter

//survey.g.doubleclick.net/async_survey?site=paewx4mdhuzny4k5rewdgkq2cy

    Evidence

<script async defer src="//survey.g.doubleclick.net/async_survey?site=paewx4mdhuzny4k5rewdgkq2cy"></script>

Instances

3

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://developers.google.com/_static/0fb3bb994f/js/jquery-bundle.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://developers.google.com/_static/0fb3bb994f/js/script_foot_closure.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://developers.google.com/_static/0fb3bb994f/js/script_foot.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://developers.google.com/_static/0fb3bb994f/js/jquery_ui-bundle.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://developers.google.com/_static/0fb3bb994f/css/devsite-google-blue.css

    Method

GET

    Parameter

X-Content-Type-Options

Instances

5

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://dl.dropboxusercontent.com/xls/preview_shared/RCls7zOXNkebeRTYr4shyzkcqH9DryVibjcr4opYeZM93Cir8DqK6eDtRSSEWwQY/file?dl=0&get_preview=1&revision_id=A5oFVMits38H-kZECwZWMwjiQMtUpKVKLloAhMdx5Fzf9lBDqzNEipYZJyRXBW6MQsCjX_thsfgayALXhIK46W5yHzbUye4k1sDC7yGLqDWMfpNmfVYxcZ3EzEsyKki-d70

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://dl.dropboxusercontent.com/xls/preview_shared/RCls7zOXNkebeRTYr4shyzkcqH9DryVibjcr4opYeZM93Cir8DqK6eDtRSSEWwQY/file?dl=0&get_preview=1&revision_id=A5oFVMits38H-kZECwZWMwjiQMtUpKVKLloAhMdx5Fzf9lBDqzNEipYZJyRXBW6MQsCjX_thsfgayALXhIK46W5yHzbUye4k1sDC7yGLqDWMfpNmfVYxcZ3EzEsyKki-d70

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://dl.dropboxusercontent.com/xls/preview_shared/RCls7zOXNkebeRTYr4shyzkcqH9DryVibjcr4opYeZM93Cir8DqK6eDtRSSEWwQY/file?dl=0&get_preview=1&revision_id=A5oFVMits38H-kZECwZWMwjiQMtUpKVKLloAhMdx5Fzf9lBDqzNEipYZJyRXBW6MQsCjX_thsfgayALXhIK46W5yHzbUye4k1sDC7yGLqDWMfpNmfVYxcZ3EzEsyKki-d70

    Method

GET

    Parameter

https://cfl.dropboxstatic.com/static/previews/preview_spreadsheet_rams.js?v=12

    Evidence

<script src="https://cfl.dropboxstatic.com/static/previews/preview_spreadsheet_rams.js?v=12"></script>

URL

https://dl.dropboxusercontent.com/xls/preview_shared/RCls7zOXNkebeRTYr4shyzkcqH9DryVibjcr4opYeZM93Cir8DqK6eDtRSSEWwQY/file?dl=0&get_preview=1&revision_id=A5oFVMits38H-kZECwZWMwjiQMtUpKVKLloAhMdx5Fzf9lBDqzNEipYZJyRXBW6MQsCjX_thsfgayALXhIK46W5yHzbUye4k1sDC7yGLqDWMfpNmfVYxcZ3EzEsyKki-d70

    Method

GET

    Parameter

https://cfl.dropboxstatic.com/static/previews/frame_messenger_client.js?v=1

    Evidence

<script src="https://cfl.dropboxstatic.com/static/previews/frame_messenger_client.js?v=1"></script>

URL

https://dl.dropboxusercontent.com/xls/preview_shared/RCls7zOXNkebeRTYr4shyzkcqH9DryVibjcr4opYeZM93Cir8DqK6eDtRSSEWwQY/file?dl=0&get_preview=1&revision_id=A5oFVMits38H-kZECwZWMwjiQMtUpKVKLloAhMdx5Fzf9lBDqzNEipYZJyRXBW6MQsCjX_thsfgayALXhIK46W5yHzbUye4k1sDC7yGLqDWMfpNmfVYxcZ3EzEsyKki-d70

    Method

GET

    Parameter

https://cfl.dropboxstatic.com/static/previews/previews-common/jquery-1.10.2.min.js

    Evidence

<script src="https://cfl.dropboxstatic.com/static/previews/previews-common/jquery-1.10.2.min.js"></script>

Instances

3

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://dl.dropboxusercontent.com/xls/preview_shared/RCls7zOXNkebeRTYr4shyzkcqH9DryVibjcr4opYeZM93Cir8DqK6eDtRSSEWwQY/file?dl=0&get_preview=1&revision_id=A5oFVMits38H-kZECwZWMwjiQMtUpKVKLloAhMdx5Fzf9lBDqzNEipYZJyRXBW6MQsCjX_thsfgayALXhIK46W5yHzbUye4k1sDC7yGLqDWMfpNmfVYxcZ3EzEsyKki-d70

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://docs.google.com/sharing/share?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&foreignService=kix&gaiaService=writely&shareService=kix&command=init_share&subapp=10&popupWindowsEnabled=true&shareUiType=default&hl=en&authuser=1&rand=1498857247682&locationHint=unknown&preload=true

    Method

GET

    Parameter

https://ssl.gstatic.com/_/commonsharing/_/js/k=commonsharing.share.en_US.HnxuMTLxtOw.O/m=h/rt=j/d=0/rs=AIt5m0WX6-aMlY5aPPseeq1bsXvAjt2SMw

    Evidence

<script type="text/javascript" src="https://ssl.gstatic.com/_/commonsharing/_/js/k=commonsharing.share.en_US.HnxuMTLxtOw.O/m=h/rt=j/d=0/rs=AIt5m0WX6-aMlY5aPPseeq1bsXvAjt2SMw" nonce="u93LNWkvj7PNdyN6CBzrSnn9uGQ"></script>

URL

https://docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/edit?usp=drive_web

    Method

GET

    Parameter

chrome-extension://ghbmnnjooekpmoecnnnilnnbdlolhkhi/page_embed_script.js

    Evidence

<script type="text/javascript" src="chrome-extension://ghbmnnjooekpmoecnnnilnnbdlolhkhi/page_embed_script.js" nonce="sVFN1kGcfMwzEOHxTQ7b7hBy4vM"></script>

URL

https://docs.google.com/offline/iframeapi?ouid=uc0046c710a5324d5

    Method

GET

    Parameter

chrome-extension://ghbmnnjooekpmoecnnnilnnbdlolhkhi/page_embed_script.js

    Evidence

<script type="text/javascript" src="chrome-extension://ghbmnnjooekpmoecnnnilnnbdlolhkhi/page_embed_script.js"></script>

URL

https://docs.google.com/sharing/share?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&foreignService=kix&gaiaService=writely&shareService=kix&command=init_share&subapp=10&popupWindowsEnabled=true&shareUiType=default&hl=en&authuser=1&rand=1498857247682&locationHint=unknown&preload=true

    Method

GET

    Parameter

https://ssl.gstatic.com/_/commonsharing/_/js/k=commonsharing.share.en_US.HnxuMTLxtOw.O/m=s/rt=j/d=0/rs=AIt5m0WX6-aMlY5aPPseeq1bsXvAjt2SMw

    Evidence

<script type="text/javascript" src="https://ssl.gstatic.com/_/commonsharing/_/js/k=commonsharing.share.en_US.HnxuMTLxtOw.O/m=s/rt=j/d=0/rs=AIt5m0WX6-aMlY5aPPseeq1bsXvAjt2SMw" nonce="u93LNWkvj7PNdyN6CBzrSnn9uGQ"></script>

URL

https://docs.google.com/sharing/share?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&foreignService=kix&gaiaService=writely&shareService=kix&command=init_share&subapp=10&popupWindowsEnabled=true&shareUiType=default&hl=en&authuser=1&rand=1498857247682&locationHint=unknown&preload=true

    Method

GET

    Parameter

https://ssl.gstatic.com/_/commonsharing/_/js/k=commonsharing.share.en_US.HnxuMTLxtOw.O/m=t/rt=j/d=0/rs=AIt5m0WX6-aMlY5aPPseeq1bsXvAjt2SMw

    Evidence

<script type="text/javascript" src="https://ssl.gstatic.com/_/commonsharing/_/js/k=commonsharing.share.en_US.HnxuMTLxtOw.O/m=t/rt=j/d=0/rs=AIt5m0WX6-aMlY5aPPseeq1bsXvAjt2SMw" nonce="u93LNWkvj7PNdyN6CBzrSnn9uGQ"></script>

URL

https://docs.google.com/sharing/share?id=1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY&foreignService=kix&gaiaService=writely&shareService=kix&command=init_share&subapp=10&popupWindowsEnabled=true&shareUiType=default&hl=en&authuser=1&rand=1498857247682&locationHint=unknown&preload=true

    Method

GET

    Parameter

chrome-extension://ghbmnnjooekpmoecnnnilnnbdlolhkhi/page_embed_script.js

    Evidence

<script type="text/javascript" src="chrome-extension://ghbmnnjooekpmoecnnnilnnbdlolhkhi/page_embed_script.js" nonce="u93LNWkvj7PNdyN6CBzrSnn9uGQ"></script>

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/edit?usp=drive_web

    Method

GET

    Parameter

chrome-extension://ghbmnnjooekpmoecnnnilnnbdlolhkhi/page_embed_script.js

    Evidence

<script type="text/javascript" src="chrome-extension://ghbmnnjooekpmoecnnnilnnbdlolhkhi/page_embed_script.js"></script>

Instances

7

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://docs.google.com/a/bluenilesw.com/document/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/edit?usp=drive_web

    Method

GET

    Parameter

GFE_RTT

    Evidence

Set-Cookie: GFE_RTT

URL

https://docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/edit?usp=drive_web

    Method

GET

    Parameter

GFE_RTT

    Evidence

Set-Cookie: GFE_RTT

URL

https://docs.google.com/a/bluenilesw.com/spreadsheets/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/edit?usp=drive_web

    Method

GET

    Parameter

GFE_RTT

    Evidence

Set-Cookie: GFE_RTT

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/edit?usp=drive_web

    Method

GET

    Parameter

GFE_RTT

    Evidence

Set-Cookie: GFE_RTT

Instances

4

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://docs.google.com/a/bluenilesw.com/spreadsheets/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/edit?usp=drive_web

    Method

GET

    Parameter

GFE_RTT

    Evidence

Set-Cookie: GFE_RTT

URL

https://docs.google.com/a/bluenilesw.com/document/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/edit?usp=drive_web

    Method

GET

    Parameter

GFE_RTT

    Evidence

Set-Cookie: GFE_RTT

URL

https://docs.google.com/document/u/1/d/1XXWent5ZYj6hAxQoDQ_P54MzAaZZPHIwxvQlWsSArbY/edit?usp=drive_web

    Method

GET

    Parameter

GFE_RTT

    Evidence

Set-Cookie: GFE_RTT

URL

https://docs.google.com/spreadsheets/u/1/d/1OvHx36W6504CyK_h1Uw8IIYCNpkKpYua38-5IAQL0JU/edit?usp=drive_web

    Method

GET

    Parameter

GFE_RTT

    Evidence

Set-Cookie: GFE_RTT

Instances

4

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://docs.google.com/static/spreadsheets2/client/css/2383721529-waffle_k_rtl.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=31536000

URL

https://docs.google.com/offline/common/manifest?ouid=u48e5c42088eda700

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=3600

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://docs.microsoft.com/en-us/sql/t-sql/language-elements/case-transact-sql

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=582

URL

https://docs.microsoft.com/en-us/sql/t-sql/functions/cast-and-convert-transact-sql

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=600

URL

https://docs.microsoft.com/en-us/sql/t-sql/functions/cast-and-convert-transact-sql

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=151

URL

https://docs.microsoft.com/_chrome/commenting/master/open-commenting.ui.docs.v1.0.2-7-g1b78816.master.min.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=27170212

URL

https://docs.microsoft.com/en-us/sql/t-sql/functions/TOC.json

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=188

URL

https://docs.microsoft.com/en-us/sql/breadcrumb/toc.json

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=308

URL

https://docs.microsoft.com/_chrome/rating/configs/exp-config.json

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=9

URL

https://docs.microsoft.com/_chrome/rating/master/resources/en-us.json

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=761

URL

https://docs.microsoft.com/en-us/sql/t-sql/functions/TOC.json

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=258

URL

https://docs.microsoft.com/_chrome/commenting/master/open-commenting.ui.v1.0.2-7-g1b78816.master.min.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=26855175

URL

https://docs.microsoft.com/en-us/sql/t-sql/data-types/smalldatetime-transact-sql

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=600

URL

https://docs.microsoft.com/_chrome/rating/master/version.json

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=2654

URL

https://docs.microsoft.com/_themes/docs.theme/master/en-us/_themes/css/359e2a2bdf369f4f41b1.site.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=592237

URL

https://docs.microsoft.com/_chrome/commenting/master/version.json

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=1665

URL

https://docs.microsoft.com/en-us/sql/t-sql/language-elements/TOC.json

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=407

URL

https://docs.microsoft.com/_themes/docs.theme/master/en-us/_themes/css/359e2a2bdf369f4f41b1.conceptual.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=592118

URL

https://docs.microsoft.com/en-us/sql/t-sql/data-types/TOC.json

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=156

Instances

17

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://docs.microsoft.com/en-us/sql/t-sql/data-types/smalldatetime-transact-sql

    Method

GET

    Parameter

https://mem.gfx.ms/meversion?partner=msdocs&market=en-us

    Evidence

<script src="https://mem.gfx.ms/meversion?partner=msdocs&market=en-us" async defer></script>

URL

https://docs.microsoft.com/en-us/sql/t-sql/functions/cast-and-convert-transact-sql

    Method

GET

    Parameter

https://assets.onestore.ms/cdnfiles/external/uhf/long/6cd17f63f634a900b40eb670c61866e8e1385b9f/js/uhf-main.var.min.js

    Evidence

<script src="https://assets.onestore.ms/cdnfiles/external/uhf/long/6cd17f63f634a900b40eb670c61866e8e1385b9f/js/uhf-main.var.min.js" async defer></script>

URL

https://docs.microsoft.com/en-us/sql/t-sql/functions/cast-and-convert-transact-sql

    Method

GET

    Parameter

https://mem.gfx.ms/meversion?partner=msdocs&market=en-us

    Evidence

<script src="https://mem.gfx.ms/meversion?partner=msdocs&market=en-us" async defer></script>

URL

https://docs.microsoft.com/en-us/sql/t-sql/data-types/smalldatetime-transact-sql

    Method

GET

    Parameter

https://assets.onestore.ms/cdnfiles/external/uhf/long/6cd17f63f634a900b40eb670c61866e8e1385b9f/js/uhf-main.var.min.js

    Evidence

<script src="https://assets.onestore.ms/cdnfiles/external/uhf/long/6cd17f63f634a900b40eb670c61866e8e1385b9f/js/uhf-main.var.min.js" async defer></script>

URL

https://docs.microsoft.com/en-us/sql/t-sql/language-elements/case-transact-sql

    Method

GET

    Parameter

https://mem.gfx.ms/meversion?partner=msdocs&market=en-us

    Evidence

<script src="https://mem.gfx.ms/meversion?partner=msdocs&market=en-us" async defer></script>

URL

https://docs.microsoft.com/en-us/sql/t-sql/language-elements/case-transact-sql

    Method

GET

    Parameter

https://assets.onestore.ms/cdnfiles/external/uhf/long/6cd17f63f634a900b40eb670c61866e8e1385b9f/js/uhf-main.var.min.js

    Evidence

<script src="https://assets.onestore.ms/cdnfiles/external/uhf/long/6cd17f63f634a900b40eb670c61866e8e1385b9f/js/uhf-main.var.min.js" async defer></script>

Instances

6

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://docs.microsoft.com/en-us/sql/t-sql/data-types/smalldatetime-transact-sql

    Method

GET

    Parameter

SID

    Evidence

Set-Cookie: SID

URL

https://docs.microsoft.com/en-us/sql/t-sql/data-types/smalldatetime-transact-sql

    Method

GET

    Parameter

ARRAffinity

    Evidence

Set-Cookie: ARRAffinity

Instances

2

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://docs.microsoft.com/en-us/sql/t-sql/data-types/smalldatetime-transact-sql

    Method

GET

    Parameter

SID

    Evidence

Set-Cookie: SID

Instances

1

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://dpm.demdex.net/id?d_visid_ver=2.1.0&d_fieldgroup=AAM&d_rtbd=json&d_ver=2&d_orgid=8D6C67C25245AF020A490D4C%40AdobeOrg&d_nsid=0&d_mid=26143214703270968390094568821291249732&d_blob=NRX38WO0n5BH8Th-nqAG_A&ts=1498857899820

    Method

GET

    Parameter

demdex

    Evidence

Set-Cookie: demdex

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://dpm.demdex.net/id?d_visid_ver=2.1.0&d_fieldgroup=AAM&d_rtbd=json&d_ver=2&d_orgid=8D6C67C25245AF020A490D4C%40AdobeOrg&d_nsid=0&d_mid=26143214703270968390094568821291249732&d_blob=NRX38WO0n5BH8Th-nqAG_A&ts=1498857899820

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://dpm.demdex.net/id?d_visid_ver=2.1.0&d_fieldgroup=AAM&d_rtbd=json&d_ver=2&d_orgid=8D6C67C25245AF020A490D4C%40AdobeOrg&d_nsid=0&d_mid=26143214703270968390094568821291249732&d_blob=NRX38WO0n5BH8Th-nqAG_A&ts=1498857899820

    Method

GET

    Parameter

demdex

    Evidence

Set-Cookie: demdex

Instances

1

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://dq4ijymydgrfx.cloudfront.net/2017-03-13/feedback-us.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://drive.google.com/drive/u/1/my-drive

    Method

GET

    Parameter

https://apis.google.com/js/api.js

    Evidence

<script src="https://apis.google.com/js/api.js"></script>

URL

https://drive.google.com/drive/u/1/my-drive

    Method

GET

    Parameter

chrome-extension://ghbmnnjooekpmoecnnnilnnbdlolhkhi/page_embed_script.js

    Evidence

<script src="chrome-extension://ghbmnnjooekpmoecnnnilnnbdlolhkhi/page_embed_script.js"></script>

Instances

2

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://electronics.stackexchange.com/questions/313865/full-wave-rectifier-efficiency

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://electronics.stackexchange.com/questions/313865/full-wave-rectifier-efficiency

    Method

GET

    Parameter

https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS_HTML-full

    Evidence

<script src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS_HTML-full"></script>

URL

https://electronics.stackexchange.com/questions/313865/full-wave-rectifier-efficiency

    Method

GET

    Parameter

https://cdn.sstatic.net/Js/stub.en.js?v=4a0d73eae37e

    Evidence

<script src="https://cdn.sstatic.net/Js/stub.en.js?v=4a0d73eae37e"></script>

URL

https://electronics.stackexchange.com/questions/313865/full-wave-rectifier-efficiency

    Method

GET

    Parameter

https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js

    Evidence

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>

Instances

3

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://electronics.stackexchange.com/questions/313865/full-wave-rectifier-efficiency

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://electronics.stackexchange.com/questions/313865/full-wave-rectifier-efficiency

    Method

GET

    Parameter

Cache-Control

    Evidence

private

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://email-app.s7.marketingcloudapps.com/

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/asset/v1/content/assets/22702?%24fields=All

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/hub/v1/campaigns?_=1498846653457&$page=2&$pagesize=25&$orderby=name%20asc&$filter=all

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/platform-internal/v1/userkeyvalue/NewEmailGridViewed

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/messaging-internal/v1/lists/category/2876?&$page=1&$pagesize=100

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/platform-internal/v1/categories/0/children?$page=1&$pagesize=100&$filter=categorytype%20eq%20%27dataextension%27%20or%20categorytype%20eq%20%27shared_data%27%20or%20categorytype%20eq%20%27shared_dataextension%27

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/hub/v1/tags?$page=1&$pagesize=100&$orderby=name

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/messaging-internal/v1/sendclassifications?$page=1&$pagesize=1&$orderby=createdDate%20asc&$filter=sendClassificationType%20eq%20%27Marketing%27

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/asset/v1/content/assets/22236

    Method

PUT

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/internal/v1/users?$page=1&$pagesize=50&$orderby=name

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/messaging/v1/validationwords/envelope

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/asset/v1/content/assets/22236

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/platform-internal/v1/userkeystore/previouslySelectedAudienceType

    Method

PUT

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/hub/v1/campaigns?_=1498846310348&$page=2&$pagesize=25&$orderby=name%20asc&$filter=all

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/platform/v1/endpoints/?$page=1&$pagesize=25

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/asset/v1/assetTypes?$page=1&$pagesize=250

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/platform-internal/v1/categories/0/children?$page=1&$pagesize=25&$filter=categorytype%20eq%20%27dataextension%27%20or%20categorytype%20eq%20%27shared_data%27%20or%20categorytype%20eq%20%27shared_dataextension%27%20or%20categorytype%20eq%20%27shared_suppression_list%27%20or%20categorytype%20eq%20%27suppression_list%27

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/messaging-internal/v1/deliveryProfiles?$page=1&$pagesize=25

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/messaging-internal/v1/senderProfiles?$page=1&$pagesize=25

    Method

GET

    Parameter

Cache-Control

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/platform-internal/v1/userkeystore/previouslySelectedAudienceType

    Method

GET

    Parameter

Cache-Control

Instances

46

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/hub/v1/campaigns?_=1498846310348&$page=2&$pagesize=25&$orderby=name%20asc&$filter=all

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/hub/v1/campaigns?_=1498846653457&$page=2&$pagesize=25&$orderby=name%20asc&$filter=all

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/messaging-internal/v1/lists/category/2876?&$page=1&$pagesize=100

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/internal/v1/users?$page=1&$pagesize=50&$orderby=name

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/asset/v1/content/assets/22702?%24fields=All

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/hub/v1/tags?$page=1&$pagesize=100&$orderby=name

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/messaging-internal/v1/sendclassifications?$page=1&$pagesize=1&$orderby=createdDate%20asc&$filter=sendClassificationType%20eq%20%27Marketing%27

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/platform-internal/v1/categories?$page=1&$pagesize=25&$filter=categorytype%20eq%20%27mysubs%27

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/platform-internal/v1/categories/0/children?$page=1&$pagesize=100&$filter=categorytype%20eq%20%27dataextension%27%20or%20categorytype%20eq%20%27shared_data%27%20or%20categorytype%20eq%20%27shared_dataextension%27

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fonts/glyphicons-halflings-regular.woff2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/asset/v1/content/assets/22702

    Method

PUT

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/bower_components/etckeditor/dist/skins/cloudtheme/skin.js?t=F61A

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/css/styles.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/internal/v1/customobjects/5560abcc-d756-e711-82f4-00110a68cc95/fields/?$page=1&$pagesize=25

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/asset/v1/assetTypes?$page=1&$pagesize=250

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/bower_components/etckeditor/dist/skins/cloudtheme/editor.css?t=F61A

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/email/v1/contacts/attributes/?$page=1&$pagesize=25

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/bower_components/ckeditor/lang/en.js?t=F61A

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://email-app.s7.marketingcloudapps.com/fuelapi/data-internal/v1/customObjectData/5560abcc-d756-e711-82f4-00110a68cc95?showKey=true&$page=1&$pagesize=25

    Method

GET

    Parameter

X-Content-Type-Options

Instances

62

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Secure Pages Include Mixed Content

Description

The page includes mixed content, that is content accessed via HTTP instead of HTTPS.

URL

https://email-app.s7.marketingcloudapps.com/js/main.js

    Method

GET

    Evidence

http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

Instances

1

Solution

A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.

The page must not contain any content that is transmitted over unencrypted HTTP.

This includes content from third party sites.

Other information

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/f3bcb75d-176b-4412-83f3-e70dc1c591c8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.s4.exct.net/lib/fe911573736c007d7d/m/2/ca503367-ab86-4e0d-8130-faecddb9e4d8.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-grey-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-grey-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/e0d1065a-ec21-4f1e-b783-685b7f57ea84.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/0685724b-35e2-4870-b340-7868278640ea.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/0685724b-35e2-4870-b340-7868278640ea.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/0685724b-35e2-4870-b340-7868278640ea.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WB-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/e0d1065a-ec21-4f1e-b783-685b7f57ea84.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WB-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/e0d1065a-ec21-4f1e-b783-685b7f57ea84.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/0685724b-35e2-4870-b340-7868278640ea.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/0685724b-35e2-4870-b340-7868278640ea.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/0685724b-35e2-4870-b340-7868278640ea.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/1d3c2974-bc52-42ab-b8ad-4e2763be0bea.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WB-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/864c985d-b20e-4e40-801a-d9616c8e5087.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/44647114-a075-4fb6-8c3a-a320f1391e10.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/1d3c2974-bc52-42ab-b8ad-4e2763be0bea.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WB-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/1d3c2974-bc52-42ab-b8ad-4e2763be0bea.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WB-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/0df1584d-742d-4bea-96ed-c05c89e2fef9.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WC-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WC-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WC-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WC-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WC-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/0df1584d-742d-4bea-96ed-c05c89e2fef9.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WC-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WC-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WC-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WC-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WC-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/0df1584d-742d-4bea-96ed-c05c89e2fef9.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WC-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WC-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WC-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WC-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WC-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/62707b86-b27c-4791-bd51-aece849745da.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/5eb37282-eb2b-404f-8bb2-e594d94e089b.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/e30b0eda-8456-41e8-8d22-ccded061cf4b.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-BW-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-BW-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-BW-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-BW-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-BW-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/8547af06-6a93-446e-af74-683508a6bb69.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/62707b86-b27c-4791-bd51-aece849745da.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/5eb37282-eb2b-404f-8bb2-e594d94e089b.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-BW-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-BW-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-BW-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-BW-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-BW-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/62707b86-b27c-4791-bd51-aece849745da.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-BW-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-BW-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-BW-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-BW-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-BW-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/b7ea4ef9-4a12-4a9a-9a39-63ded95aa0d5.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/0d52b9d2-6041-4fca-8b35-0d1c0d991104.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WB-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/b7ea4ef9-4a12-4a9a-9a39-63ded95aa0d5.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WB-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/a870364c-f340-4fa3-b6fc-03c776e34309.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/a870364c-f340-4fa3-b6fc-03c776e34309.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WB-2x.png

tag=img src=http://image.s1.qa1.exacttarget.com/lib/fe6715707267027d7610/m/1/a870364c-f340-4fa3-b6fc-03c776e34309.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-facebook-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-twitter-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-instagram-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-youtube-WB-2x.png

tag=img src=http://image.exct.net/lib/fe5f15707267027a7712/m/1/socialshare-pinterest-WB-2x.png

Reference

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

CWE Id

311

WASC Id

4

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://email-app.s7.marketingcloudapps.com/formstylingblock.js

    Method

GET

    Parameter

X-XSS-Protection

URL

https://email-app.s7.marketingcloudapps.com/%25%25=CONCAT(@image_base_url,%20@prod_img)=%25%25

    Method

GET

    Parameter

X-XSS-Protection

URL

https://email-app.s7.marketingcloudapps.com/smartcaptureformfieldblock.js

    Method

GET

    Parameter

X-XSS-Protection

URL

https://email-app.s7.marketingcloudapps.com/smartcapturesubmitoptionsblock.js

    Method

GET

    Parameter

X-XSS-Protection

URL

https://email-app.s7.marketingcloudapps.com/smartcaptureblock.js

    Method

GET

    Parameter

X-XSS-Protection

URL

https://email-app.s7.marketingcloudapps.com/%25%25=v(@coll_img)=%25%25

    Method

GET

    Parameter

X-XSS-Protection

URL

https://email-app.s7.marketingcloudapps.com/rssfeedblock.js

    Method

GET

    Parameter

X-XSS-Protection

URL

https://email-app.s7.marketingcloudapps.com/

    Method

GET

    Parameter

X-XSS-Protection

Instances

8

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://email-app.s7.marketingcloudapps.com/js/main.js

    Method

GET

    Parameter

//play.vidyard.com/PqxOAvMlZO354MS3zjLYqw.js?v=3.1.1&type=inline&width=490&height=275

    Evidence

<script type="text/javascript" id="vidyard_embed_code_PqxOAvMlZO354MS3zjLYqw" src="//play.vidyard.com/PqxOAvMlZO354MS3zjLYqw.js?v=3.1.1&type=inline&width=490&height=275"></script>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://email-app.s7.marketingcloudapps.com/login

    Method

POST

    Parameter

email-app937Key

    Evidence

set-cookie: email-app937Key

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://engine.adzerk.net/ados?t=1498852847344&request=%7B%22Placements%22:%5B%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk59206026%22,%22AT%22:4,%22Z%22:%5B43%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk390609828%22,%22AT%22:4,%22Z%22:%5B44%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk2108324546%22,%22ATA%22:%5B5,17,2221,1129,43%5D,%22Z%22:%5B45%5D%7D%5D,%22Keywords%22:%22sql%2Csql-server%2Cstring%2Cdatetime%22,%22Referrer%22:%22https%3A%2F%2Fwww.google.com%2F%22,%22IsAsync%22:true%7D

    Method

GET

    Parameter

azk

    Evidence

Set-Cookie: azk

URL

https://engine.adzerk.net/ados?t=1498845973723&request=%7B%22Placements%22:%5B%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk841761598%22,%22AT%22:4,%22Z%22:%5B43%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk1918042910%22,%22AT%22:4,%22Z%22:%5B44%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk185516961%22,%22ATA%22:%5B5,17,2221,1129,43%5D,%22Z%22:%5B45%5D%7D%5D,%22Keywords%22:%22sql-server%22,%22Referrer%22:%22https%3A%2F%2Fwww.google.com%2F%22,%22IsAsync%22:true%7D

    Method

GET

    Parameter

azk

    Evidence

Set-Cookie: azk

URL

https://engine.adzerk.net/ados?t=1498856179399&request=%7B%22Placements%22:%5B%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk340491016%22,%22AT%22:4,%22Z%22:%5B43%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk1032398078%22,%22AT%22:4,%22Z%22:%5B44%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk372659625%22,%22ATA%22:%5B5,17,2221,1129,43%5D,%22Z%22:%5B45%5D%7D%5D,%22Keywords%22:%22sql%2Csql-server%22,%22Referrer%22:%22https%3A%2F%2Fwww.google.com%2F%22,%22IsAsync%22:true%7D

    Method

GET

    Parameter

azk

    Evidence

Set-Cookie: azk

URL

https://engine.adzerk.net/ados?t=1498852973272&request=%7B%22Placements%22:%5B%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk2010066676%22,%22AT%22:4,%22Z%22:%5B43%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk1416397568%22,%22AT%22:4,%22Z%22:%5B44%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk725459592%22,%22ATA%22:%5B5,17,2221,1129,43%5D,%22Z%22:%5B45%5D%7D%5D,%22Keywords%22:%22sql-server-2008%2Cdatetime%2Cvarchar%22,%22Referrer%22:%22https%3A%2F%2Fwww.google.com%2F%22,%22IsAsync%22:true%7D

    Method

GET

    Parameter

azk

    Evidence

Set-Cookie: azk

Instances

4

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://engine.adzerk.net/ados?t=1498852847344&request=%7B%22Placements%22:%5B%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk59206026%22,%22AT%22:4,%22Z%22:%5B43%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk390609828%22,%22AT%22:4,%22Z%22:%5B44%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk2108324546%22,%22ATA%22:%5B5,17,2221,1129,43%5D,%22Z%22:%5B45%5D%7D%5D,%22Keywords%22:%22sql%2Csql-server%2Cstring%2Cdatetime%22,%22Referrer%22:%22https%3A%2F%2Fwww.google.com%2F%22,%22IsAsync%22:true%7D

    Method

GET

    Parameter

azk

    Evidence

Set-Cookie: azk

URL

https://engine.adzerk.net/ados?t=1498852973272&request=%7B%22Placements%22:%5B%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk2010066676%22,%22AT%22:4,%22Z%22:%5B43%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk1416397568%22,%22AT%22:4,%22Z%22:%5B44%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk725459592%22,%22ATA%22:%5B5,17,2221,1129,43%5D,%22Z%22:%5B45%5D%7D%5D,%22Keywords%22:%22sql-server-2008%2Cdatetime%2Cvarchar%22,%22Referrer%22:%22https%3A%2F%2Fwww.google.com%2F%22,%22IsAsync%22:true%7D

    Method

GET

    Parameter

azk

    Evidence

Set-Cookie: azk

URL

https://engine.adzerk.net/ados?t=1498856179399&request=%7B%22Placements%22:%5B%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk340491016%22,%22AT%22:4,%22Z%22:%5B43%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk1032398078%22,%22AT%22:4,%22Z%22:%5B44%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk372659625%22,%22ATA%22:%5B5,17,2221,1129,43%5D,%22Z%22:%5B45%5D%7D%5D,%22Keywords%22:%22sql%2Csql-server%22,%22Referrer%22:%22https%3A%2F%2Fwww.google.com%2F%22,%22IsAsync%22:true%7D

    Method

GET

    Parameter

azk

    Evidence

Set-Cookie: azk

URL

https://engine.adzerk.net/ados?t=1498845973723&request=%7B%22Placements%22:%5B%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk841761598%22,%22AT%22:4,%22Z%22:%5B43%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk1918042910%22,%22AT%22:4,%22Z%22:%5B44%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk185516961%22,%22ATA%22:%5B5,17,2221,1129,43%5D,%22Z%22:%5B45%5D%7D%5D,%22Keywords%22:%22sql-server%22,%22Referrer%22:%22https%3A%2F%2Fwww.google.com%2F%22,%22IsAsync%22:true%7D

    Method

GET

    Parameter

azk

    Evidence

Set-Cookie: azk

Instances

4

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://engine.adzerk.net/ados?t=1498852847344&request=%7B%22Placements%22:%5B%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk59206026%22,%22AT%22:4,%22Z%22:%5B43%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk390609828%22,%22AT%22:4,%22Z%22:%5B44%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk2108324546%22,%22ATA%22:%5B5,17,2221,1129,43%5D,%22Z%22:%5B45%5D%7D%5D,%22Keywords%22:%22sql%2Csql-server%2Cstring%2Cdatetime%22,%22Referrer%22:%22https%3A%2F%2Fwww.google.com%2F%22,%22IsAsync%22:true%7D

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://engine.adzerk.net/ados?t=1498852973272&request=%7B%22Placements%22:%5B%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk2010066676%22,%22AT%22:4,%22Z%22:%5B43%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk1416397568%22,%22AT%22:4,%22Z%22:%5B44%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk725459592%22,%22ATA%22:%5B5,17,2221,1129,43%5D,%22Z%22:%5B45%5D%7D%5D,%22Keywords%22:%22sql-server-2008%2Cdatetime%2Cvarchar%22,%22Referrer%22:%22https%3A%2F%2Fwww.google.com%2F%22,%22IsAsync%22:true%7D

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://engine.adzerk.net/ados?t=1498856179399&request=%7B%22Placements%22:%5B%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk340491016%22,%22AT%22:4,%22Z%22:%5B43%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk1032398078%22,%22AT%22:4,%22Z%22:%5B44%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk372659625%22,%22ATA%22:%5B5,17,2221,1129,43%5D,%22Z%22:%5B45%5D%7D%5D,%22Keywords%22:%22sql%2Csql-server%22,%22Referrer%22:%22https%3A%2F%2Fwww.google.com%2F%22,%22IsAsync%22:true%7D

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://engine.adzerk.net/ados?t=1498845973723&request=%7B%22Placements%22:%5B%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk841761598%22,%22AT%22:4,%22Z%22:%5B43%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk1918042910%22,%22AT%22:4,%22Z%22:%5B44%5D%7D,%7B%22A%22:22,%22S%22:8277,%22D%22:%22adzerk185516961%22,%22ATA%22:%5B5,17,2221,1129,43%5D,%22Z%22:%5B45%5D%7D%5D,%22Keywords%22:%22sql-server%22,%22Referrer%22:%22https%3A%2F%2Fwww.google.com%2F%22,%22IsAsync%22:true%7D

    Method

GET

    Parameter

X-Content-Type-Options

Instances

4

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://fonts.googleapis.com/css?family=Roboto:400,500,700

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.googleapis.com/css?family=Inconsolata:400,700

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.googleapis.com/css?family=Roboto

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.googleapis.com/css?family=Open+Sans:400,700

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.googleapis.com/css?family=Roboto:300,400,400italic,500,500italic,700,700italic%7CRoboto+Mono:400,500,700%7CMaterial+Icons

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.googleapis.com/css?family=Roboto:400,700%7CMaterial+Icons

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.googleapis.com/css?family=Open+Sans:100,200,300,400,600,700&subset=latin,latin-ext

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.googleapis.com/css?family=Lato%3A400%2C300%2C300italic%2C400italic%2C700%2C700italic%7CLora%3A400italic%2C700italic&subset=latin%2Clatin-ext

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.googleapis.com/css?family=Roboto:400,500%7CInconsolata:400,700

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.googleapis.com/css?family=Roboto:300,400,500,700

    Method

GET

    Parameter

X-Content-Type-Options

Instances

10

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://fonts.googleapis.com/css?family=Roboto:400,500,700

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=86400, stale-while-revalidate=604800

URL

https://fonts.googleapis.com/css?family=Lato%3A400%2C300%2C300italic%2C400italic%2C700%2C700italic%7CLora%3A400italic%2C700italic&subset=latin%2Clatin-ext

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=86400, stale-while-revalidate=604800

URL

https://fonts.googleapis.com/css?family=Roboto

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=86400, stale-while-revalidate=604800

URL

https://fonts.googleapis.com/css?family=Roboto:400,500%7CInconsolata:400,700

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=86400, stale-while-revalidate=604800

URL

https://fonts.googleapis.com/css?family=Open+Sans:100,200,300,400,600,700&subset=latin,latin-ext

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=86400, stale-while-revalidate=604800

URL

https://fonts.googleapis.com/css?family=Roboto:300,400,500,700

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=86400, stale-while-revalidate=604800

URL

https://fonts.googleapis.com/css?family=Open+Sans:400,700

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=86400, stale-while-revalidate=604800

URL

https://fonts.googleapis.com/css?family=Roboto:400,700%7CMaterial+Icons

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=86400, stale-while-revalidate=604800

URL

https://fonts.googleapis.com/css?family=Roboto:300,400,400italic,500,500italic,700,700italic%7CRoboto+Mono:400,500,700%7CMaterial+Icons

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=86400, stale-while-revalidate=604800

URL

https://fonts.googleapis.com/css?family=Inconsolata:400,700

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=86400, stale-while-revalidate=604800

Instances

10

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://fonts.gstatic.com/l/font?kit=w5TV1gUGtMAJ1dwwI_iCvgLUuEpTyoUstqEm5AMlJo4&skey=a1029226f80653a8&v=v8

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=3qINvnjb346LubKDfLRn6xampu5_7CjHW5spxoeN3Vs&skey=96867d716c89840e&v=v10

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=yO6U_gDYM5qdR3e3A7RwjwLUuEpTyoUstqEm5AMlJo4&skey=a1029226f80653a8&v=v8

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=23obpnVGtF-BQtnUAejuY8hHwsiXhsDb0smKjAA7Bek&skey=470ea9b7edd795d7&v=v10

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=MD9mg8Cy2AOZQTj1RMSKupBw1xU1rKptJj_0jans920&skey=6830e38320d5ad43&v=v8

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=wkshsMjunzKumD3zh1j69QzyDMXhdD8sAj6OAJTFsBI&skey=5202a3b6f5388b49&v=v8

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=tglRjQQneep4ISNw_cVZOBampu5_7CjHW5spxoeN3Vs&skey=8b00183e5f6700b6&v=v8

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=2K4_TzEdu-yyqrFIZikTEALUuEpTyoUstqEm5AMlJo4&skey=d4699178559bc4b0&v=v8

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=dftp9UkVz-eHSE8kXLAH3mfrnYWAzH6tTbHZfcsRIsM&skey=cf7b06949deecd8b&v=v10

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=v58W6z8cm42h92CJRCAnuxampu5_7CjHW5spxoeN3Vs&skey=5d78cb5d3a5cdf77&v=v8

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=3qINvnjb346LubKDfLRn65N7En7qVX6gofu6fNdcSaM&skey=96867d716c89840e&v=v10

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=5w-FLLchhD8oUCXUYKWO9wLUuEpTyoUstqEm5AMlJo4&skey=d4699178559bc4b0&v=v8

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=cCwcoZCh95jEfkePtzfl9wzyDMXhdD8sAj6OAJTFsBI&skey=cd2dd6afe6bf0eb2&v=v8

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=q-nQIMXO1ya9XJ9pGgSby1h3o8VkC1exAYQ700cRowo&skey=b4833ce002cd81b5&v=v10

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://fonts.gstatic.com/l/font?kit=s6BJz6dd05IaBkVSZYii2pBw1xU1rKptJj_0jans920&skey=36a3d5758e0e2f58&v=v8

    Method

GET

    Parameter

X-Content-Type-Options

Instances

15

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://google-developers.appspot.com/maps/documentation/utils/geocoder/embed

    Method

GET

    Parameter

//ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js

    Evidence

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js"></script>

URL

https://google-developers.appspot.com/maps/documentation/utils/geocoder/embed

    Method

GET

    Parameter

https://maps.googleapis.com/maps/api/js?v=3.exp&client=gme-addictive&channel=geocoder-tool-embed&libraries=places

    Evidence

<script src="https://maps.googleapis.com/maps/api/js?v=3.exp&amp;client=gme-addictive&amp;channel=geocoder-tool-embed&amp;libraries=places"></script>

Instances

2

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://google-developers.appspot.com/_static/js/mustache-bundle.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://google-developers.appspot.com/maps/documentation/utils/geocoder/styles-embed.css

    Method

GET

    Parameter

Cache-Control

    Evidence

must_revalidate, public, max-age=3600

URL

https://google-developers.appspot.com/maps/documentation/utils/geocoder/embed

    Method

GET

    Parameter

Cache-Control

    Evidence

must_revalidate, public, max-age=3600

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://graph.facebook.com/

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://graph.facebook.com/fql?q=SELECT%20url,normalized_url,share_count,like_count,comment_count,total_count,commentsbox_count,comments_fbid,click_count%20FROM%20link_stat%20WHERE%20url=%22http://vinjabond.com/category/hacks/%22&callback=Filament.SocialStats.parseStats.facebook&_1498862518589=

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://graph.facebook.com/?callback=WPCOMSharing.update_facebook_count&ids=https%3A%2F%2Fteamforcesite.wordpress.com%2F2016%2F07%2F21%2Fintegration-of-salesforce-with-shopify-application%2F&_=1498856636088

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://graph.facebook.com/fql?q=SELECT%20url,normalized_url,share_count,like_count,comment_count,total_count,commentsbox_count,comments_fbid,click_count%20FROM%20link_stat%20WHERE%20url=%22http://vinjabond.com/macgyvered-how-to-operate-like-macgyver/%22&callback=Filament.SocialStats.parseStats.facebook&_1498862553679=

    Method

GET

    Parameter

X-Content-Type-Options

Instances

4

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://graph.facebook.com/fql?q=SELECT%20url,normalized_url,share_count,like_count,comment_count,total_count,commentsbox_count,comments_fbid,click_count%20FROM%20link_stat%20WHERE%20url=%22http://vinjabond.com/macgyvered-how-to-operate-like-macgyver/%22&callback=Filament.SocialStats.parseStats.facebook&_1498862553679=

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store

URL

https://graph.facebook.com/fql?q=SELECT%20url,normalized_url,share_count,like_count,comment_count,total_count,commentsbox_count,comments_fbid,click_count%20FROM%20link_stat%20WHERE%20url=%22http://vinjabond.com/category/hacks/%22&callback=Filament.SocialStats.parseStats.facebook&_1498862518589=

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://gsp-ssl.ls.apple.com/experiments.arpc

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://gsp-ssl.ls.apple.com/dispatcher.arpc

    Method

POST

    Parameter

X-Content-Type-Options

Instances

2

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Content-Type Header Missing

Description

The Content-Type header was either missing or empty.

URL

https://gsp-ssl.ls.apple.com/dispatcher.arpc

    Method

POST

Instances

1

Solution

Ensure each page is setting the specific and appropriate content-type value for the content being delivered.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

CWE Id

345

WASC Id

12

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://gsp64-ssl.ls.apple.com/a/v2/use

    Method

POST

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Content-Type Header Missing

Description

The Content-Type header was either missing or empty.

URL

https://gsp64-ssl.ls.apple.com/a/v2/use

    Method

POST

Instances

1

Solution

Ensure each page is setting the specific and appropriate content-type value for the content being delivered.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

CWE Id

345

WASC Id

12

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://gspe1-ssl.ls.apple.com/pep/gcc

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://gspe1-ssl.ls.apple.com/pep/gcc

    Method

GET

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://gspe1-ssl.ls.apple.com/pep/gcc

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://gspe35-ssl.ls.apple.com/config/announcements?hardware=MacBookPro12,1&lang=en&os=osx&os_build=15F34&os_version=10.11.5

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://gspe35-ssl.ls.apple.com/geo_manifest/dynamic/config?application=geod&application_version=1&country_code=US&hardware=MacBookPro12,1&os=osx&os_build=15F34&os_version=10.11.5

    Method

GET

    Parameter

X-Content-Type-Options

Instances

2

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://hangouts.google.com/webchat/u/0/frame?v=1498502060&hl=en&pvt=AMP3uWZdUR2AoDUrQWWh_gnaiMvVzB_xfCxx53HFvX-HNN2Uv7H-0lkLsQzriLLU5JEIVEl1hoGWiTWKzEq5TrdhZrF-lz7dZg%3D%3D&prop=gmail

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=31536000

URL

https://hangouts.google.com/hangouts/_/hscv?pvt=AMP3uWYxeMYkl3vqyynUFdBXbzed0aKeSlOBXimW9Y0EODzu1tEIhoBrncrq48p_0Rh-dkNIx8CMsF0qhJb261J7xQgvjeQEeA&authuser=0&xpc=%7B%22cn%22%3A%22qUyV1iYi1n%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%7D

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://hangouts.google.com/_/scs/chat-static/_/ss/k=chat.wbl.-haojoyhhg4s7.L.W.O/am=HQHAiwZg/d=0/rs=AGNGyv0HzYVn1ZjNiEqNkff9uPrW2ysnWQ

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=31536000

URL

https://hangouts.google.com/webchat/frame3?zx=1498502060

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=31536000

Instances

4

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://help.salesforce.com/sCSS/40.0/1497971282000/PortalDefault/gc/dStandard.css

    Method

GET

    Parameter

apex__siteUserLanguage

    Evidence

Set-Cookie: apex__siteUserLanguage

URL

https://help.salesforce.com/sCSS/40.0/1498857922000/PortalDefault/00D30000000XsfG/06030000000M1Pu/gc/portal.css

    Method

GET

    Parameter

apex__siteUserLanguage

    Evidence

Set-Cookie: apex__siteUserLanguage

URL

https://help.salesforce.com/setSFXCookie?value=sfx

    Method

GET

    Parameter

apex__searchContentPriortize

    Evidence

Set-Cookie: apex__searchContentPriortize

Instances

3

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://help.salesforce.com/sCSS/40.0/1498159010000/PortalDefault/default/gc/common.css

    Method

GET

    Parameter

Cache-Control

    Evidence

s-maxage=0, private

URL

https://help.salesforce.com/sCSS/40.0/1498159010000/PortalDefault/default/gc/extended.css

    Method

GET

    Parameter

Cache-Control

    Evidence

s-maxage=0, private

URL

https://help.salesforce.com/sCSS/40.0/1498159010000/PortalDefault/default/gc/elements.css

    Method

GET

    Parameter

Cache-Control

    Evidence

s-maxage=0, private

URL

https://help.salesforce.com/sCSS/40.0/1498159010000/PortalDefault/default/gc/zen-componentsCompatible.css

    Method

GET

    Parameter

Cache-Control

    Evidence

s-maxage=0, private

URL

https://help.salesforce.com/setSFXCookie?value=sfx

    Method

GET

    Parameter

Cache-Control

    Evidence

must-revalidate, max-age=0,s-maxage=0

URL

https://help.salesforce.com/sCSS/40.0/1498159010000/PortalDefault/default/gc/setup.css

    Method

GET

    Parameter

Cache-Control

    Evidence

s-maxage=0, private

URL

https://help.salesforce.com/sCSS/40.0/1497971282000/PortalDefault/00D30000000XsfG/00530000007ajIy/gc/dCustom1.css

    Method

GET

    Parameter

Cache-Control

    Evidence

s-maxage=0, private

URL

https://help.salesforce.com/sCSS/40.0/1498159010000/PortalDefault/default/gc/tableTabNavigation.css

    Method

GET

    Parameter

Cache-Control

    Evidence

s-maxage=0, private

URL

https://help.salesforce.com/sCSS/40.0/1497971282000/PortalDefault/00D30000000XsfG/00530000007ajIy/gc/dCustom0.css

    Method

GET

    Parameter

Cache-Control

    Evidence

s-maxage=0, private

Instances

9

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://help.salesforce.com/sCSS/40.0/1498159010000/PortalDefault/default/gc/setup.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://help.salesforce.com/sCSS/40.0/1497971282000/PortalDefault/gc/dStandard.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://help.salesforce.com/sCSS/40.0/1497971282000/PortalDefault/00D30000000XsfG/00530000007ajIy/gc/dCustom0.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://help.salesforce.com/sCSS/40.0/1498159010000/PortalDefault/default/gc/elements.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://help.salesforce.com/sCSS/40.0/1498159010000/PortalDefault/default/gc/extended.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://help.salesforce.com/setSFXCookie?value=sfx

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://help.salesforce.com/sCSS/40.0/1498159010000/PortalDefault/default/gc/zen-componentsCompatible.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://help.salesforce.com/sCSS/40.0/1498159010000/PortalDefault/default/gc/common.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://help.salesforce.com/sCSS/40.0/1497971282000/PortalDefault/00D30000000XsfG/00530000007ajIy/gc/dCustom1.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://help.salesforce.com/sCSS/40.0/1498159010000/PortalDefault/default/gc/tableTabNavigation.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://help.salesforce.com/sCSS/40.0/1498857922000/PortalDefault/00D30000000XsfG/06030000000M1Pu/gc/portal.css

    Method

GET

    Parameter

X-Content-Type-Options

Instances

11

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://help.salesforce.com/sCSS/40.0/1497971282000/PortalDefault/gc/dStandard.css

    Method

GET

    Parameter

https://c.la1cs.salesforceliveagent.com/content/g/deployment.js

    Evidence

<script src="https://c.la1cs.salesforceliveagent.com/content/g/deployment.js"></script>

URL

https://help.salesforce.com/sCSS/40.0/1498857922000/PortalDefault/00D30000000XsfG/06030000000M1Pu/gc/portal.css

    Method

GET

    Parameter

https://play.vidyard.com/v0/api.js

    Evidence

<script src="https://play.vidyard.com/v0/api.js"></script>

URL

https://help.salesforce.com/sCSS/40.0/1498857922000/PortalDefault/00D30000000XsfG/06030000000M1Pu/gc/portal.css

    Method

GET

    Parameter

https://c.la1cs.salesforceliveagent.com/content/g/deployment.js

    Evidence

<script src="https://c.la1cs.salesforceliveagent.com/content/g/deployment.js"></script>

URL

https://help.salesforce.com/sCSS/40.0/1497971282000/PortalDefault/gc/dStandard.css

    Method

GET

    Parameter

https://play.vidyard.com/v0/api.js

    Evidence

<script src="https://play.vidyard.com/v0/api.js"></script>

Instances

4

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://help.salesforce.com/setSFXCookie?value=sfx

    Method

GET

    Parameter

apex__searchContentPriortize

    Evidence

Set-Cookie: apex__searchContentPriortize

URL

https://help.salesforce.com/sCSS/40.0/1497971282000/PortalDefault/gc/dStandard.css

    Method

GET

    Parameter

apex__siteUserLanguage

    Evidence

Set-Cookie: apex__siteUserLanguage

URL

https://help.salesforce.com/sCSS/40.0/1498857922000/PortalDefault/00D30000000XsfG/06030000000M1Pu/gc/portal.css

    Method

GET

    Parameter

apex__siteUserLanguage

    Evidence

Set-Cookie: apex__siteUserLanguage

Instances

3

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://i.s-microsoft.com/wedcs/ms.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://i1.services.social.microsoft.com/Search/Widgets/SearchBox.jss?boxid=SearchTextBox&btnid=SearchButton&brand=Msdn&loc=en-US&resref=49&addEnglish=&rn=&rq=&watermark=SQL%20Server&focusOnInit=False&beta=0&iroot=sqlserver&overrideWatermark=false&pgArea=&cver=0%0d%0a

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://i1.social.s-msft.com/Forums/RequestReduceContent/afe76dcda570713d08bbeb54774890e2-c312783b8d9c2fab508594ca5904e213-RequestReducedStyle.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=29134476

URL

https://i1.social.s-msft.com/Forums/resources/NetReflector/NetReflector.css?cver=0%0d%0a

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=73592

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://i1.social.s-msft.com/Forums/resources/scripts/jquery-impromptu.3.1.min.js?cver=0%0d%0a

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/resources/NetReflector/NetReflector.js?cver=0%0d%0a

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/RequestReduceContent/81d2b4286e0d3e86fbf7f2e3a2468529-c769c4ecaf33d04f3dea6af4337b9847-RequestReducedScript.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/resources/NetReflector/NetReflector.css?cver=0%0d%0a

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/RequestReduceContent/198faff60a83dd768cacdf60118b0b19-6584225de39c1527dd5dd7bce11792ab-RequestReducedScript.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/GlobalResources/scripts/WEDCS.js?cver=0%0d%0a

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/resources/scripts/core.js?cver=0%0d%0a

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/RequestReduceContent/afe76dcda570713d08bbeb54774890e2-c312783b8d9c2fab508594ca5904e213-RequestReducedStyle.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/RequestReduceContent/0a2f6dbf06b9f0a53d16b1e5d0f929ac-dff89e51e56a79ed646ef2b26dec6b95-RequestReducedScript.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/RequestReduceContent/3c5c66dae383e989c2436e51e0b95498-df4d2dc89d69a0cd231342274ee34c28-RequestReducedScript.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/resources/scripts/messages.js?cver=0%0d%0a

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/resources/scripts/webtrends.js?cver=0%0d%0a

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/RequestReduceContent/fbeddfde7c678cd5341121e0ee23c711-764641120452f582c83dce86b5200c2e-RequestReducedScript.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://i1.social.s-msft.com/Forums/GlobalResources/scripts/omni_rsid_social.js?cver=0%0d%0a

    Method

GET

    Parameter

X-Content-Type-Options

Instances

14

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://i1.social.s-msft.com/Forums/resources/scripts/webtrends.js?cver=0%0d%0a

    Method

GET

    Parameter

https://m.webtrends.com/dcsour5e80000008ybade4ttg_1i1l/wtid.js

    Evidence

<script type='text/javascript' src='https://m.webtrends.com/dcsour5e80000008ybade4ttg_1i1l/wtid.js'>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://iam.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

https://apis.google.com/js/googleapis.proxy.js?onload=startup

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/googleapis.proxy.js?onload=startup" async defer></script>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://iam.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=3600

URL

https://iam.clients6.google.com/v1/projects/galileo-map-view-1487967109796/serviceAccounts?removeDeletedServiceAccounts=true&pageSize=100&key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g

    Method

GET

    Parameter

Cache-Control

    Evidence

private

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://identity.livefyre.com/microsoft.fyre.co/api/v1.0/public/config/js-config/

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://identity.livefyre.com/microsoft.fyre.co/api/v1.0/public/config/js-config/

    Method

GET

    Parameter

csrftoken

    Evidence

Set-Cookie: csrftoken

URL

https://identity.livefyre.com/microsoft.fyre.co/api/v1.0/public/config/js-config/

    Method

GET

    Parameter

lfsp-profile

    Evidence

Set-Cookie: lfsp-profile

Instances

2

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://identity.livefyre.com/microsoft.fyre.co/api/v1.0/public/config/js-config/

    Method

GET

    Parameter

lfsp-profile

    Evidence

Set-Cookie: lfsp-profile

URL

https://identity.livefyre.com/microsoft.fyre.co/api/v1.0/public/config/js-config/

    Method

GET

    Parameter

csrftoken

    Evidence

Set-Cookie: csrftoken

Instances

2

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://identity.livefyre.com/microsoft.fyre.co/api/v1.0/public/config/js-config/

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://images-na.ssl-images-amazon.com/images/G/01/AUIClients/AmazonGatewayAuiAssets-feb9a9edc104521c85948e4ad890640f1c785637._V2_.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/G/01/x-locale/personalization/yourstore/js/ratings-bar-366177._CB204593665_.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/I/41KkLWmKggL.js?AUIClients/AskAuiAssets

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/I/81JVcqDofHL.js?AUIClients/AmazonCustomBuyBoxAssets

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/I/11QXqf0G81L.js?AUIClients/RetailWebsiteOverlayAUIAssets

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/G/01/AUIClients/GenericObservableJS-c1a60b0cbfbf5d9a43a472c753b5426b6b9787a4._V2_.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/G/01/ape/sf/desktop/sf-1.05._V508917648_.html

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/G/01/x-locale/redirect-overlay/redirect-overlay-nav-mx-https-20150828._CB311575010_.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/G/01/AUIClients/CustomerReviewsVotingAssets-c0c19d4a8c14ce6df3e0eea3ac89027a10d85f27._V2_.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/I/01sHjb7jFEL._RC%7C01JFM6wegIL.js,71Fmo1RrSQL.js,51rJ-Yggh5L.js,01A18a0oAWL.js,41wJWCv8skL.js,010XVa0zfKL.js,01wBjiz9OvL.js,21cYJCoMH8L.js,31p47EklYvL.js,51RgqN98m2L.js,01yqjEE29CL.js_.js?AUIClients/NavDesktopMetaAsset

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/G/01/AUIClients/CustomerReviewsCommonAssets-c65b3a408bdffb7d5a91cdc972240067ea4b4239._V2_.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/I/51soGaISwVL._RC%7C21thLxrpr2L.css,01lO3awdqlL.css,01TQCVEAmxL.css,61GO9JjzdoL.css_.css?AUIClients/RetailSearchAssets

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/I/31vOyNnYYfL._RC%7C115I705N2vL.js,214q28gHRFL.js,21Cf9Zg6OuL.js,11BbuR7S5HL.js,01VtYReatCL.js,41EgbeXz8LL.js,31kvu9yxctL.js,21-QFBTP--L.js,31tRbGFEWhL.js,41eZpV2vqAL.js,01RHiyjONOL.js,41YlPvEGjeL.js,113XFQQ12YL.js,31CHjsc-XbL.js,31E2DpzrxML.js,41I40+3voZL.js,01CvuB2jSjL.js,016DBHJkIYL.js,21FMgkitIDL.js,21WlZ36dzZL.js,01DdN5HYGpL.js,81Y7BD3UuhL.js,61u22MsJWWL.js,41YEXnxcB8L.js,21-iIISWGML.js,01LHJt5PiyL.js,01d7vjHe3sL.js,31C7lSVrNKL.js,21d0m9V5eVL.js,21vaUH6OP0L.js,0193uyIciNL.js,41LkdMoD5vL.js,11b-3b7kldL.js,01ayMe242LL.js,11ZQs34gE7L.js,01ePd6UuedL.js,61wC0ZnHlhL.js,01OtUmZxPcL.js,11NHZnHlFmL.js,11WXTLsXIfL.js,51E1BNNDo1L.js,31CietAOOFL.js,01gaQLz1HjL.js,01k0F4m0bHL.js,01X2zigX4kL.js,01KlzgFNohL.js,01f+LgRjhOL.js,01x7-p7jLyL.js_.js?AUIClients/USHardlinesDetailPageMetaAsset

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/I/01JFM6wegIL._RC%7C71Fmo1RrSQL.js,51rJ-Yggh5L.js,01A18a0oAWL.js,41wJWCv8skL.js,010XVa0zfKL.js,01wBjiz9OvL.js,21cYJCoMH8L.js,31p47EklYvL.js,51RgqN98m2L.js_.js?AUIClients/NavDesktopMetaAsset

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/G/01/AUIClients/AmazonGatewayHerotatorJS-88bddb8eecf7417097b5fe14f64bea6a47a677c9._V2_.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/I/61tHvuwljLL._RC%7C11IYhapguOL.js,61ZMzlLbF-L.js,012FVc3131L.js,31pYyxAZJRL.js,31Qll8kfk9L.js,516fQ5+zVmL.js,11UpGvgfZkL.js,01xMsWWFUQL.js,11KkQiUpBPL.js,113pP0Sfh0L.js,21auxuI+dRL.js,01PoLXBDXWL.js,61hAabWQm2L.js,01BBu+b9t0L.js,01rpauTep4L.js,01O439IyEZL.js_.js?AUIClients/AmazonUI

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/G/01/AUIClients/AmazonGatewayHerotatorJS-ed6ce4798415244198b464cf366c538b1f2f2537._V2_.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/I/01sXN9XURmL.css?AUIClients/NavCartD12nAsset

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/G/01/x-locale/communities/profile/customer-popover/script-13-min._CB224617671_.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://images-na.ssl-images-amazon.com/images/G/01/x-locale/communities/profile/customer-popover/style-3._CB248984170_.css

    Method

GET

    Parameter

X-Content-Type-Options

Instances

73

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://images-na.ssl-images-amazon.com/images/G/01/AUIClients/AmazonGatewayAuiAssets-fa862379a1e2db915371de68cf095bb6b94a44fb._V2_.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/I/61oz+W7yptL._RC%7C01evdoiemkL.css,01pVbSC-RPL.css,01K+Ps1DeEL.css,312AzKJvYEL.css,01ewogTCD+L.css,11Q+QzSCWIL.css,11csd67uccL.css,11g4ZqMHAkL.css,21Pd9HarLOL.css,010v3Ej3+6L.css,21HId9JfYYL.css,01LJGuGyVyL.css,11Uut0mIL8L.css,11Fd9tJOdtL.css,21RNFprmuBL.css,11WgRxUdJRL.css,01TvogYZ+AL.css,01G4hnpC1nL.css,01SHjPML6tL.css,11e2M+GTQOL.css,01QrWuRrZ-L.css,31jcFDxFbTL.css,01ZZEwsrOcL.css_.css?AUIClients/AmazonUI

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/I/31c%2BSbEi%2BkL.css?AUIClients/AskAuiAssets

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/G/01/nav2/gamma/websiteGridCSS/websiteGridCSS-websiteGridCSS-48346.css._CB176526456_.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/I/512sNh%2Ba1aL.css?AUIClients/AmazonCustomBuyBoxAssets

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/G/01/x-locale/communities/profile/customer-popover/style-3._CB248984170_.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/G/01/browser-scripts/fruitCSS/US-secure-combined-11313707._CB320013561_.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/G/01/AUIClients/CustomerReviewsCommonAssets-a34e1e862b16d75ce6ba00ef2f7b803798a76650._V2_.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/I/61Lpx-8QBcL._RC%7C01wj5zg4yGL.css,31+C8rQtOEL.css,21E1MhZOpTL.css,31AMpirNLiL.css,01NHva6qGRL.css,31UlxNhlUML.css_.css?AUIClients/NavDesktopMetaAsset

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/I/31J3cLgQP7L.css?AUIClients/SoftlinesRetailSearchAssets

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/I/61XASiqFQYL._RC%7C01JvJFCUjYL.css,01pVbSC-RPL.css,01K+Ps1DeEL.css,31YvFMgKYHL.css,01ewogTCD+L.css,11Q+QzSCWIL.css,11UbYilk4mL.css,11g4ZqMHAkL.css,21Pd9HarLOL.css,015uc33ipFL.css,21HId9JfYYL.css,01LJGuGyVyL.css,11Uut0mIL8L.css,11Fd9tJOdtL.css,21RNFprmuBL.css,11WgRxUdJRL.css,01TvogYZ+AL.css,01G4hnpC1nL.css,01SHjPML6tL.css,11e2M+GTQOL.css,01QrWuRrZ-L.css,31B36zS86yL.css,01ZZEwsrOcL.css_.css?AUIClients/AmazonUI

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/G/01/AUIClients/AmazonGatewayHerotatorJS-ed6ce4798415244198b464cf366c538b1f2f2537._V2_.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/G/01/vap/video/airy2/prod/2.0.1452.0/css/beacon._CB507135934_.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/G/01/AUIClients/CustomerReviewsGalleryAssets-37611201eb68772cbe9eabf924d40a0bb442eaf8._V2_.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/I/215fwAdUqRL.css?AUIClients/EDPAsset

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/I/51soGaISwVL._RC%7C21thLxrpr2L.css,01lO3awdqlL.css,01TQCVEAmxL.css,61GO9JjzdoL.css_.css?AUIClients/RetailSearchAssets

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/I/61oz%2BW7yptL._RC%7C01evdoiemkL.css,01pVbSC-RPL.css,01K+Ps1DeEL.css,31YggQNnTFL.css,01ewogTCD+L.css,11Q+QzSCWIL.css,21XNrWobyaL.css,11g4ZqMHAkL.css,21Pd9HarLOL.css,010v3Ej3+6L.css,21HId9JfYYL.css,01LJGuGyVyL.css,11Uut0mIL8L.css,11vZhCgAHbL.css,21RNFprmuBL.css,11WgRxUdJRL.css,01gkYI+3ywL.css,01G4hnpC1nL.css,01SHjPML6tL.css,11e2M+GTQOL.css,01QrWuRrZ-L.css,31jcFDxFbTL.css,01ZZEwsrOcL.css_.css?AUIClients/AmazonUI

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/I/01sXN9XURmL.css?AUIClients/NavCartD12nAsset

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/I/61bL%2BpJQTLL._RC%7C11zFhuTDFqL.css,11ikU6MX1JL.css,31uTL6-TJHL.css,21lcA-0gDcL.css,01uwSfX2vxL.css,110CMQRxKLL.css,21lr10GI3YL.css,01OT3mZ3tNL.css,11xRy3bSkOL.css,412U7OlU5-L.css,0143hM3KisL.css,01FlII1u-ZL.css,21Cv6eMNzzL.css,21thLxrpr2L.css,31MyzjXZJnL.css,01KeIGNrFnL.css,01QUs5FVXoL.css,11MXghh1eBL.css,01hvfEvfPgL.css,41A3MwXNi4L.css,31DJFjtqQ7L.css,21zcRoEHaSL.css,01GT2VH57dL.css,21lNW82MJSL.css,3124KBJbE1L.css,01rgQ3jqo7L.css,217Ot7KD+CL.css,31LmJetX2HL.css,11X8K4AolpL.css,21PjfsP9YvL.css,21AfeXszZhL.css,314F2rZxPML.css,014Z+MbaRaL.css,016xTzXJLfL.css,21TgMdLEoEL.css,01ZGR4PDSTL.css,218XVPWf2YL.css,31l3isVDwcL.css,01fo4HYb47L.css,01NW8VTUeVL.css,01rgQ3jqo7L.css_.css?AUIClients/USHardlinesDetailPageMetaAsset

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

URL

https://images-na.ssl-images-amazon.com/images/I/31LmJetX2HL.css?AUIClients/DetailPageOffersDPv2Assets

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=630720000,public

Instances

33

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Secure Pages Include Mixed Content

Description

The page includes mixed content, that is content accessed via HTTP instead of HTTPS.

URL

https://images-na.ssl-images-amazon.com/images/G/01/twister/beta/twister-dpf.87b069b255db02b4805f7e714b617f8f._V1_.js

    Method

GET

    Evidence

http://images.amazon.com/images/G/01/x-locale/communities/tags/snake.gif

Instances

1

Solution

A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.

The page must not contain any content that is transmitted over unencrypted HTTP.

This includes content from third party sites.

Other information

tag=img src=http://images.amazon.com/images/G/01/x-locale/communities/tags/snake.gif

Reference

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

CWE Id

311

WASC Id

4

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://images-na.ssl-images-amazon.com/images/G/01/ape/sf/desktop/sf-1.05._V508917648_.html

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://init.itunes.apple.com/bag.xml?guid=F45C89B50505&ix=5

    Method

GET

    Parameter

Cache-Control

    Evidence

no-transform, max-age=8166

URL

https://init.itunes.apple.com/WebObjects/MZInit.woa/wa/signSapSetupCert?guid=F45C89B50505

    Method

GET

    Parameter

Cache-Control

    Evidence

no-transform, max-age=983

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://init.itunes.apple.com/WebObjects/MZInit.woa/wa/signSapSetupCert?guid=F45C89B50505

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://init.itunes.apple.com/bag.xml?guid=F45C89B50505&ix=5

    Method

GET

    Parameter

X-Content-Type-Options

Instances

2

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://iterm2.com/appcasts/final.xml?shard=37

    Method

GET

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://iterm2.com/appcasts/final.xml?shard=37

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://javadl-esd-secure.oracle.com/update/mac/au-1.8.0_131.xml

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, no-cache

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://javadl-esd-secure.oracle.com/update/mac/au-1.8.0_131.xml

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://js-agent.newrelic.com/nr-1039.min.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://js.hs-analytics.net/analytics/1498842300000/2249672.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://js.hs-scripts.com/2249672.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://js.intercomcdn.com/fonts/proximanova-regular.a7942249.woff

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://js.intercomcdn.com/shim.850616e4.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://js.intercomcdn.com/frame.a2b752b4.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://lc.livefyre.com/livecountping/188967460/374568107008?__=vdy54pjbbydq&timeout=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc.livefyre.com/livecountping/188966641/86643798464?__=qzv3kkniiuey&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc.livefyre.com/livecountping/188967460/374568107008?__=6nt4nkgkzh8o&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc.livefyre.com/livecountping/188967460/374568107008?__=v6yv4mptssds&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc.livefyre.com/livecountping/188967460/374568107008?__=pjkydiw0oiz4&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc.livefyre.com/livecountping/188966641/86643798464?__=1d8m1be8oasm&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc.livefyre.com/livecountping/188966188/531411023645?__=dre8ca7zknh3&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

Instances

7

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://lc.livefyre.com/livecountping/188966641/86643798464?__=1d8m1be8oasm&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc.livefyre.com/livecountping/188967460/374568107008?__=v6yv4mptssds&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc.livefyre.com/livecountping/188967460/374568107008?__=vdy54pjbbydq&timeout=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc.livefyre.com/livecountping/188967460/374568107008?__=pjkydiw0oiz4&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc.livefyre.com/livecountping/188966641/86643798464?__=qzv3kkniiuey&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc.livefyre.com/livecountping/188967460/374568107008?__=6nt4nkgkzh8o&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc.livefyre.com/livecountping/188966188/531411023645?__=dre8ca7zknh3&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

Instances

7

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://lc71.dsr.livefyre.com/livecountping/188966641/86643798464?__=h1uszx4xoxyb&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc71.dsr.livefyre.com/livecountping/188966641/86643798464?__=3azjcn51s1d0&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc71.dsr.livefyre.com/livecountping/188966641/86643798464?__=hfa7f0lfem4q&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://lc71.dsr.livefyre.com/livecountping/188966641/86643798464?__=h1uszx4xoxyb&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc71.dsr.livefyre.com/livecountping/188966641/86643798464?__=hfa7f0lfem4q&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc71.dsr.livefyre.com/livecountping/188966641/86643798464?__=3azjcn51s1d0&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=w02vwlj2x6f0&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=rwiadfqhqzi&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=ejfdx096nkzq&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=sd6i6vrmxigq&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=modhj0o62q46&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=458mhg4oetic&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=fqsgcat9z2pq&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=u1x71apzgz6j&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=who4gftgzqd0&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=xpwfnkgu8dgd&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=eqmjbnrj2wmv&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

Cache-Control

Instances

11

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=458mhg4oetic&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=who4gftgzqd0&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=sd6i6vrmxigq&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=u1x71apzgz6j&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=modhj0o62q46&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=fqsgcat9z2pq&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=rwiadfqhqzi&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=ejfdx096nkzq&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=w02vwlj2x6f0&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=xpwfnkgu8dgd&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://lc79.dsr.livefyre.com/livecountping/188966188/531411023645?__=eqmjbnrj2wmv&routed=1&jid&siteId=381623&networkId=microsoft.fyre.co

    Method

GET

    Parameter

X-Content-Type-Options

Instances

11

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://livefyre-cdn.s3.amazonaws.com/libs/identity/v1.1.5/simple/css/default/sp.css

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://livefyre-cdn.s3.amazonaws.com/libs/identity/v1.1.5/simple/css/default/sp.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, no-transform, public

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://login.salesforce.com/

    Method

POST

    Parameter

com.salesforce.LocaleInfo

    Evidence

Set-Cookie: com.salesforce.LocaleInfo

URL

https://login.salesforce.com/

    Method

POST

    Parameter

rememberUn

    Evidence

Set-Cookie: rememberUn

URL

https://login.salesforce.com/

    Method

POST

    Parameter

oinfo

    Evidence

Set-Cookie: oinfo

URL

https://login.salesforce.com/

    Method

POST

    Parameter

QCQQR3

    Evidence

Set-Cookie: QCQQR3

URL

https://login.salesforce.com/

    Method

POST

    Parameter

inst

    Evidence

Set-Cookie: inst

URL

https://login.salesforce.com/

    Method

POST

    Parameter

QCQQ

    Evidence

Set-Cookie: QCQQ

URL

https://login.salesforce.com/

    Method

GET

    Parameter

QCQQ

    Evidence

Set-Cookie: QCQQ

URL

https://login.salesforce.com/

    Method

POST

    Parameter

login

    Evidence

Set-Cookie: login

Instances

8

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://login.salesforce.com/

    Method

POST

    Parameter

oinfo

    Evidence

Set-Cookie: oinfo

URL

https://login.salesforce.com/

    Method

POST

    Parameter

com.salesforce.LocaleInfo

    Evidence

Set-Cookie: com.salesforce.LocaleInfo

URL

https://login.salesforce.com/

    Method

POST

    Parameter

inst

    Evidence

Set-Cookie: inst

URL

https://login.salesforce.com/

    Method

POST

    Parameter

QCQQR3

    Evidence

Set-Cookie: QCQQR3

URL

https://login.salesforce.com/

    Method

POST

    Parameter

rememberUn

    Evidence

Set-Cookie: rememberUn

URL

https://login.salesforce.com/

    Method

POST

    Parameter

login

    Evidence

Set-Cookie: login

URL

https://login.salesforce.com/

    Method

GET

    Parameter

QCQQ

    Evidence

Set-Cookie: QCQQ

URL

https://login.salesforce.com/

    Method

POST

    Parameter

QCQQ

    Evidence

Set-Cookie: QCQQ

Instances

8

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://login.salesforce.com/

    Method

GET

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://m.addthis.com/live/red_lojson/300lo.json?si=5956bf8b449f0662&bkl=0&bl=1&pdt=1599&sid=5956bf8b449f0662&pub=ra-4e9e731461d9e491&rev=v7.15.4-wp&ln=en&pc=men&cb=0&ab=-&dp=peal.io&dr=www.google.com&fp=soundboards%2Frick-and-morty&fr=&of=0&pd=0&irt=1&vcl=1&md=0&ct=1&tct=0&abt=0&cdn=0&pi=1&rb=4&gen=100&chr=UTF-8&colc=1498857359331&jsl=8321&uvs=5956bf8bd34eeafa000&skipb=1&callback=addthis.cbs.oln9_84126225628902710

    Method

GET

    Parameter

vc

    Evidence

Set-Cookie: vc

URL

https://m.addthis.com/live/red_lojson/300lo.json?si=5956bf8b449f0662&bkl=0&bl=1&pdt=1599&sid=5956bf8b449f0662&pub=ra-4e9e731461d9e491&rev=v7.15.4-wp&ln=en&pc=men&cb=0&ab=-&dp=peal.io&dr=www.google.com&fp=soundboards%2Frick-and-morty&fr=&of=0&pd=0&irt=1&vcl=1&md=0&ct=1&tct=0&abt=0&cdn=0&pi=1&rb=4&gen=100&chr=UTF-8&colc=1498857359331&jsl=8321&uvs=5956bf8bd34eeafa000&skipb=1&callback=addthis.cbs.oln9_84126225628902710

    Method

GET

    Parameter

di2

    Evidence

Set-Cookie: di2

URL

https://m.addthis.com/live/red_lojson/300lo.json?si=5956bf8b449f0662&bkl=0&bl=1&pdt=1599&sid=5956bf8b449f0662&pub=ra-4e9e731461d9e491&rev=v7.15.4-wp&ln=en&pc=men&cb=0&ab=-&dp=peal.io&dr=www.google.com&fp=soundboards%2Frick-and-morty&fr=&of=0&pd=0&irt=1&vcl=1&md=0&ct=1&tct=0&abt=0&cdn=0&pi=1&rb=4&gen=100&chr=UTF-8&colc=1498857359331&jsl=8321&uvs=5956bf8bd34eeafa000&skipb=1&callback=addthis.cbs.oln9_84126225628902710

    Method

GET

    Parameter

uid

    Evidence

Set-Cookie: uid

Instances

3

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://m.addthis.com/live/red_lojson/300lo.json?si=5956bf8b449f0662&bkl=0&bl=1&pdt=1599&sid=5956bf8b449f0662&pub=ra-4e9e731461d9e491&rev=v7.15.4-wp&ln=en&pc=men&cb=0&ab=-&dp=peal.io&dr=www.google.com&fp=soundboards%2Frick-and-morty&fr=&of=0&pd=0&irt=1&vcl=1&md=0&ct=1&tct=0&abt=0&cdn=0&pi=1&rb=4&gen=100&chr=UTF-8&colc=1498857359331&jsl=8321&uvs=5956bf8bd34eeafa000&skipb=1&callback=addthis.cbs.oln9_84126225628902710

    Method

GET

    Parameter

di2

    Evidence

Set-Cookie: di2

URL

https://m.addthis.com/live/red_lojson/300lo.json?si=5956bf8b449f0662&bkl=0&bl=1&pdt=1599&sid=5956bf8b449f0662&pub=ra-4e9e731461d9e491&rev=v7.15.4-wp&ln=en&pc=men&cb=0&ab=-&dp=peal.io&dr=www.google.com&fp=soundboards%2Frick-and-morty&fr=&of=0&pd=0&irt=1&vcl=1&md=0&ct=1&tct=0&abt=0&cdn=0&pi=1&rb=4&gen=100&chr=UTF-8&colc=1498857359331&jsl=8321&uvs=5956bf8bd34eeafa000&skipb=1&callback=addthis.cbs.oln9_84126225628902710

    Method

GET

    Parameter

vc

    Evidence

Set-Cookie: vc

URL

https://m.addthis.com/live/red_lojson/300lo.json?si=5956bf8b449f0662&bkl=0&bl=1&pdt=1599&sid=5956bf8b449f0662&pub=ra-4e9e731461d9e491&rev=v7.15.4-wp&ln=en&pc=men&cb=0&ab=-&dp=peal.io&dr=www.google.com&fp=soundboards%2Frick-and-morty&fr=&of=0&pd=0&irt=1&vcl=1&md=0&ct=1&tct=0&abt=0&cdn=0&pi=1&rb=4&gen=100&chr=UTF-8&colc=1498857359331&jsl=8321&uvs=5956bf8bd34eeafa000&skipb=1&callback=addthis.cbs.oln9_84126225628902710

    Method

GET

    Parameter

uid

    Evidence

Set-Cookie: uid

Instances

3

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://m.addthis.com/live/red_lojson/300lo.json?si=5956bf8b449f0662&bkl=0&bl=1&pdt=1599&sid=5956bf8b449f0662&pub=ra-4e9e731461d9e491&rev=v7.15.4-wp&ln=en&pc=men&cb=0&ab=-&dp=peal.io&dr=www.google.com&fp=soundboards%2Frick-and-morty&fr=&of=0&pd=0&irt=1&vcl=1&md=0&ct=1&tct=0&abt=0&cdn=0&pi=1&rb=4&gen=100&chr=UTF-8&colc=1498857359331&jsl=8321&uvs=5956bf8bd34eeafa000&skipb=1&callback=addthis.cbs.oln9_84126225628902710

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://m.addthisedge.com/live/boost/ra-4e9e731461d9e491/_ate.track.config_resp

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://m.media-amazon.com/images/G/01/AUIClients/AmazonUIBaseCSS-amazonember_rg-cc7ebaa05a2cd3b02c0929ac0475a44ab30b7efa._V2_.woff2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://m.media-amazon.com/images/G/01/AUIClients/AmazonUIBaseCSS-amazonember_rgit-9cc1bb64eb270135f1adf3a4881c2ee5e7c37be5._V2_.woff2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://m.media-amazon.com/images/G/01/AUIClients/AmazonUIBaseCSS-amazonember_bd-46b91bda68161c14e554a779643ef4957431987b._V2_.woff2

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://mail.google.com/mail/u/0/?ui=2&ik=232e821c66&jsver=lEZPUTRTfxI.en.&rid=e146..&at=AF6bupMh0I-0nSPny2ZGLdvHp0gtJHWPrQ&view=tl&start=0&num=9&avw=1178&ntlv=1&auto=1&ver=lEZPUTRTfxI.en.&am=!KPa8o3_Ir1vfxZTyKAk2TJ3NAkFcu7WaZZJ3Wb4tPc6WDENK9KYgcdozQw5flFoGNSiwr3qnqaB1fOh-HmMGXPdNI8PA&ari=120&_reqid=8634688&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_STAT_e146

    Evidence

Set-Cookie: GMAIL_STAT_e146

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=up&act=rusl&_reqid=41134696&pcd=1&mb=0&rt=c

    Method

POST

    Parameter

GMAIL_IMP

    Evidence

Set-Cookie: GMAIL_IMP

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=tl&start=0&num=15&avw=1186&auto=1&ver=lEZPUTRTfxI.en.&am=!KPa8o3_Ir1vfxZTyKAk2TJmdAkFQu7UaZJJ3WfoMAd5WtNyU5pAE5jvduP3f7Yaw_1PnOuZIW0pD3U1Q21GklV4hVFQl&ari=120&_reqid=47434696&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_STAT_5a0f

    Evidence

Set-Cookie: GMAIL_STAT_5a0f

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=up&act=rd&vrd=1&_reqid=39434696&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_STAT_5a0f

    Evidence

Set-Cookie: GMAIL_STAT_5a0f

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=tl&start=0&num=70&avw=1186&ntlv=6&auto=1&ver=lEZPUTRTfxI.en.&am=!KPa8o3_Ir1vfxZTyKAk2TJmdAkFQu7UaZJJ3WfoMAd5WtNyU5pAE5jvduP3f7Yaw_1PnOuZIW0pD3U1Q21GklV4hVFQl&_reqid=23034696&pcd=1&mb=0&rt=j&q=is%3Astarred&name=is%3Astarred&search=section_query

    Method

POST

    Parameter

GMAIL_STAT_5a0f

    Evidence

Set-Cookie: GMAIL_STAT_5a0f

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=tl&start=0&num=15&avw=1178&ntlv=2&auto=1&ver=lEZPUTRTfxI.en.&am=!KPa8o3_Ir1vfxZTyKAk2TJmdAkFQu7UaZJJ3WfoMAd5WtNyU5pAE5jvduP3f7Yaw_1PnOuZIW0pD3U1Q21GklV4hVFQl&ari=120&_reqid=11634696&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_STAT_5a0f

    Evidence

Set-Cookie: GMAIL_STAT_5a0f

URL

https://mail.google.com/mail/u/0/?ui=2&ik=232e821c66&jsver=lEZPUTRTfxI.en.&rid=e146..&at=AF6bupMh0I-0nSPny2ZGLdvHp0gtJHWPrQ&view=tl&start=0&num=9&avw=1186&ntlv=1&auto=1&ver=lEZPUTRTfxI.en.&am=!KPa8o3_Ir1vfxZTyKAk2TJ3NAkFcu7WaZZJ3Wb4tPc6WDENK9KYgcdozQw5flFoGNSiwr3qnqaB1fOh-HmMGXPdNI8PA&ari=120&_reqid=28834688&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_STAT_e146

    Evidence

Set-Cookie: GMAIL_STAT_e146

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=up&act=rusl&_reqid=5834696&pcd=1&mb=0&rt=c

    Method

POST

    Parameter

GMAIL_IMP

    Evidence

Set-Cookie: GMAIL_IMP

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=mail%3Aarl.5a0f.28.0&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=up&act=arl&asrc=2&acn=Bluenile%20Business%20Stuff%2Fbilling&_reqid=46134696&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_STAT_5a0f

    Evidence

Set-Cookie: GMAIL_STAT_5a0f

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=up&act=rusl&_reqid=34534696&pcd=1&mb=0&rt=c

    Method

POST

    Parameter

GMAIL_IMP

    Evidence

Set-Cookie: GMAIL_IMP

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=mail%3Aarl.5a0f.17.0&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=up&act=arl&asrc=2&acn=Bluenile%20Business%20Stuff%2Fsales&_reqid=32734696&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_STAT_5a0f

    Evidence

Set-Cookie: GMAIL_STAT_5a0f

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=tl&start=0&num=15&avw=1178&ntlv=5&auto=1&ver=lEZPUTRTfxI.en.&am=!KPa8o3_Ir1vfxZTyKAk2TJmdAkFQu7UaZJJ3WfoMAd5WtNyU5pAE5jvduP3f7Yaw_1PnOuZIW0pD3U1Q21GklV4hVFQl&ari=120&_reqid=6934696&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_STAT_5a0f

    Evidence

Set-Cookie: GMAIL_STAT_5a0f

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=up&act=xst&_reqid=15634696&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_IMP

    Evidence

Set-Cookie: GMAIL_IMP

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=up&act=sd&jsid=vtne0rjwypaz&cmid=1&permmsgid=msg-a%3Ar927552021574647991&pes=1&cmeb=0&cmml=170&autosave=1&_reqid=8934696&pcd=1&mb=0&rt=j&q=is%3Astarred&name=is%3Astarred&search=section_query

    Method

POST

    Parameter

GMAIL_IMP

    Evidence

Set-Cookie: GMAIL_IMP

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=mail%3Aarl.5a0f.11.0&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=up&act=arl&asrc=2&acn=ET%20clients%2Fgalileo&_reqid=15534696&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_IMP

    Evidence

Set-Cookie: GMAIL_IMP

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=tl&start=0&num=15&avw=1186&ntlv=6&auto=1&ver=lEZPUTRTfxI.en.&am=!KPa8o3_Ir1vfxZTyKAk2TJmdAkFQu7UaZJJ3WfoMAd5WtNyU5pAE5jvduP3f7Yaw_1PnOuZIW0pD3U1Q21GklV4hVFQl&ari=120&_reqid=39934696&pcd=1&mb=0&rt=j&q=is%3Astarred&name=is%3Astarred&search=section_query

    Method

POST

    Parameter

GMAIL_STAT_5a0f

    Evidence

Set-Cookie: GMAIL_STAT_5a0f

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=mail%3Amar.5a0f.12.0&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=up&act=rd&_reqid=15734696&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_IMP

    Evidence

Set-Cookie: GMAIL_IMP

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=up&act=rusl&_reqid=13434696&pcd=1&mb=0&rt=c

    Method

POST

    Parameter

GMAIL_IMP

    Evidence

Set-Cookie: GMAIL_IMP

URL

https://mail.google.com/mail/u/0/?ui=2&ik=232e821c66&jsver=lEZPUTRTfxI.en.&rid=mail%3Amar.e146.14.0&at=AF6bupMh0I-0nSPny2ZGLdvHp0gtJHWPrQ&view=up&act=rd&_reqid=28134688&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_IMP

    Evidence

Set-Cookie: GMAIL_IMP

URL

https://mail.google.com/mail/u/1/?ui=2&ik=194312420a&jsver=lEZPUTRTfxI.en.&rid=5a0f..&at=AF6bupOFcnxeX6MFe3DdWDjxawYUgCxXxw&view=up&act=rd&vrd=1&_reqid=46734696&pcd=1&mb=0&rt=j&q=is%3Aunread&name=is%3Aunread&search=section_query

    Method

POST

    Parameter

GMAIL_STAT_5a0f

    Evidence

Set-Cookie: GMAIL_STAT_5a0f

Instances

83

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://manifest.googlevideo.com/api/manifest/dash/mn/sn-o097znll/mm/31/hfr/all/sparams/as%2Cei%2Chfr%2Cid%2Cinitcwndbps%2Cip%2Cipbits%2Citag%2Cmm%2Cmn%2Cms%2Cmv%2Cpl%2Cplayback_host%2Crequiressl%2Csource%2Cexpire/ipbits/0/key/yt6/ip/73.170.79.207/requiressl/yes/signature/8E1247D6E0980D3CF9CEAA83FCD8E2FBC77DE7D7.70C11748FA9510F680097C6920019C193968E999/pl/16/as/fmp4_audio_clear%2Cfmp4_sd_hd_clear/source/youtube/expire/1498880813/mv/m/initcwndbps/1845000/itag/0/mt/1498859099/ms/au/playback_host/r15---sn-o097znll.googlevideo.com/ei/zcZWWbDyCMq6-gOn8bPoDQ/id/74abca15da6e06be?cpn=ngwOz2ZOr0WQw0aP&mpd_version=5&pacing=0

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://manifest.googlevideo.com/api/manifest/dash/ei/QsdWWYXWBZ6q_AOi8KjoDA/ms/au/expire/1498880930/source/youtube/initcwndbps/1823750/mv/m/id/fdd34a4af3fca966/sparams/as%2Cei%2Chfr%2Cid%2Cinitcwndbps%2Cip%2Cipbits%2Citag%2Cmm%2Cmn%2Cms%2Cmv%2Cpl%2Cplayback_host%2Crequiressl%2Csource%2Cexpire/signature/022D90B96F18C0F90F3DAAC3366B6DE38BA2BF2A.84B2F23A066FD030B4B53D708FD06102F7BAD238/requiressl/yes/mt/1498859210/key/yt6/ipbits/0/playback_host/r5---sn-n4v7sn7z.googlevideo.com/hfr/all/pl/16/itag/0/mm/31/ip/73.170.79.207/as/fmp4_audio_clear%2Cfmp4_sd_hd_clear/mn/sn-n4v7sn7z?cpn=t2tSX_mxEEcLfoaa&mpd_version=5&pacing=0

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://manifest.googlevideo.com/api/manifest/dash/ipbits/0/mm/31/hfr/all/sparams/as%2Cei%2Chfr%2Cid%2Cinitcwndbps%2Cip%2Cipbits%2Citag%2Cmm%2Cmn%2Cms%2Cmv%2Cpl%2Cplayback_host%2Crequiressl%2Csource%2Cexpire/id/fdd34a4af3fca966/pl/16/signature/9E9D9B95580AE61D08992467C5F66605C40AFB6C.816EBB905C5447338BFA5B22F67777F58C8972AE/expire/1498881000/as/fmp4_audio_clear%2Cfmp4_sd_hd_clear/mn/sn-o097znld/itag/0/ei/h8dWWbrrONCs-gOykYfYBw/ip/73.170.79.207/source/youtube/requiressl/yes/initcwndbps/1786250/mt/1498859314/playback_host/r5---sn-o097znld.googlevideo.com/mv/m/key/yt6/ms/au?cpn=uu767zTsH4eW7r1v&mpd_version=5&pacing=0

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate?1shttps%3A%2F%2Fgoogle-developers.appspot.com%2Fmaps%2Fdocumentation%2Futils%2Fgeocoder%2Fembed&2sgme-addictive&3sgeocoder-tool-embed&callback=_xdc_._fcyby6&token=22276

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://maps.googleapis.com/maps/api/js/StatsService.RecordStats?1m3&1sut%7Cclient%3Agme-addictive&2smapview&5v1&1m3&1sut%7Cclient%3Agme-addictive%7Cchannel%3Ageocoder-tool-embed&2smapview&5v1&1m5&1sut%7Cclient%3Agme-addictive&2schannel&6m2&1sgeocoder-tool-embed&2v1&callback=_xdc_._k7vo&token=123408

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://maps.googleapis.com/maps/api/js/QuotaService.RecordEvent?1shttps%3A%2F%2Fgoogle-developers.appspot.com%2Fmaps%2Fdocumentation%2Futils%2Fgeocoder%2Fembed&2sgme-addictive&5e0&6u1&7skdk7vm&9sgeocoder-tool-embed&callback=_xdc_._pwnre2&token=7973

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://maps.googleapis.com/maps/api/js/GeocodeService.Search?4s123%20Main%20Street%2C%20Oakland%2C%20CA&7sUS&9sen-US&client=gme-addictive&channel=geocoder-tool-embed&callback=_xdc_._8mcbyb&token=125900

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://maps.googleapis.com/maps/api/js/StatsService.RecordStats?1m5&1sut%7Cclient%3Agme-addictive&2sgeocodeCountry&6m2&1sUS&2v1&1m5&1sut%7Cclient%3Agme-addictive%7Cchannel%3Ageocoder-tool-embed&2sgeocodeCountry&6m2&1sUS&2v1&1m5&1sut%7Cclient%3Agme-addictive&2sgeocodeStatus&6m2&1sOK&2v1&1m5&1sut%7Cclient%3Agme-addictive%7Cchannel%3Ageocoder-tool-embed&2sgeocodeStatus&6m2&1sOK&2v1&callback=_xdc_._l5cz&token=7750

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://maps.googleapis.com/maps/api/js/StatsService.RecordStats?1m5&1sut%7Cclient%3Agme-addictive&2sinteraction&6m2&1sjump&2v1&1m5&1sut%7Cclient%3Agme-addictive%7Cchannel%3Ageocoder-tool-embed&2sinteraction&6m2&1sjump&2v1&1m5&1sut%7Cclient%3Agme-addictive&2szoom&6m2&1s17&2v1&1m5&1sut%7Cclient%3Agme-addictive%7Cchannel%3Ageocoder-tool-embed&2szoom&6m2&1s17&2v1&1m5&1sut%7Cclient%3Agme-addictive&2szoomInteraction&6m2&1sin&2v1&1m5&1sut%7Cclient%3Agme-addictive%7Cchannel%3Ageocoder-tool-embed&2szoomInteraction&6m2&1sin&2v1&1m5&1sut%7Cclient%3Agme-addictive&2sinteraction&6m2&1szoom&2v1&1m5&1sut%7Cclient%3Agme-addictive%7Cchannel%3Ageocoder-tool-embed&2sinteraction&6m2&1szoom&2v1&callback=_xdc_._l5hx&token=28131

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo?1m6&1m2&1d37.78648404993322&2d-122.40860628643912&2m2&1d37.796997252280626&2d-122.38418852614836&2u17&4sen-US&5e0&6sm%40383000000&7b0&8e0&callback=_xdc_._5tky9i&token=5392

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo?1m6&1m2&1d-90&2d-180&2m2&1d90&2d180&2u3&4sen-US&5e0&6sm%40383000000&7b0&8e0&callback=_xdc_._zfrf0e&token=114902

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://maps.googleapis.com/maps/api/geocode/json?address=41399+Chapel+Way,+Fremont,CA&key=AIzaSyDrqWOUZZD2uJheCJD5uS2luk7R7aZGyIE

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://maps.googleapis.com/maps/api/js?v=3.exp&client=gme-addictive&channel=geocoder-tool-embed&libraries=places

    Method

GET

    Parameter

X-Content-Type-Options

Instances

10

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://maps.googleapis.com/maps/api/geocode/json?address=41399+Chapel+Way,+Fremont,CA&key=AIzaSyDrqWOUZZD2uJheCJD5uS2luk7R7aZGyIE

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, must-revalidate

URL

https://maps.googleapis.com/maps/api/geocode/json?address=41399+Chapel+Way,+Fremont,CA&key=AIzaSyDrqWOUZZD2uJheCJD5uS2luk7R7aZGyIE

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=86400

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://marketing.dropbox.com/s/%3Atkey/%2Apath?referrer=

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://marketing.dropbox.com/s/%3Atkey/%2Apath?referrer=

    Method

GET

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://marketing.dropbox.com/s/%3Atkey/%2Apath?referrer=

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://maxcdn.bootstrapcdn.com/font-awesome/4.4.0/fonts/fontawesome-webfont.woff2?v=4.4.0

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31104000

URL

https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31104000

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://mc.exacttarget.com/cloud/

    Method

GET

    Parameter

xt_0d95e

    Evidence

Set-Cookie: xt_0d95e

URL

https://mc.exacttarget.com/cloud/tools/PrivateLabel.ashx?wl=NiwzMDA1OTUwLGZlOTk1

    Method

GET

    Parameter

imh_cookie

    Evidence

Set-Cookie: imh_cookie

URL

https://mc.exacttarget.com/cloud/

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://mc.exacttarget.com/cloud/login.html?hash=logged-inIw==

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

Instances

4

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://mc.exacttarget.com/cloud/

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.exacttarget.com/cloud/tools/PrivateLabel.ashx?wl=NiwzMDA1OTUwLGZlOTk1

    Method

GET

    Parameter

X-Content-Type-Options

Instances

2

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://mc.exacttarget.com/cloud/tools/PrivateLabel.ashx?wl=NiwzMDA1OTUwLGZlOTk1

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.exacttarget.com/cloud/

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://mc.exacttarget.com/cloud/

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=50&order_by=StartTime%20desc&_=1498843507319

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507240

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507373

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507288

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest//beta/folder/33650/

    Method

GET

    Parameter

rest_cookie

    Evidence

Set-Cookie: rest_cookie

URL

https://mc.s7.exacttarget.com/rest//beta/folder/33261/children?where=allowedtypes%20in%20(%27dataextension%27,%27shared_data%27,%27shared_dataextension%27,%27salesforcedataextension%27,%27shared_salesforcedataextension%27)&$top=250&_=1498855402492

    Method

OPTIONS

    Parameter

rest_cookie

    Evidence

Set-Cookie: rest_cookie

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=5&order_by=StartTime%20desc&to_server_time=1&_=1498843507107

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest//beta/folder/33261/

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=Y1FuS2N4ZFV4MGU4emJnYXlkQ0NEQToyNTow&$top=25&begin_date=2017-05-30&end_date=2017-06-30&order_by=StartTime%20desc&to_server_time=1&_=1498843507512

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=Y1FuS2N4ZFV4MGU4emJnYXlkQ0NEQToyNTow&$top=50&order_by=StartTime%20desc&_=1498843507471

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507181

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=50&order_by=StartTime%20desc&_=1498843507093

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest//beta/folder/2890/

    Method

OPTIONS

    Parameter

rest_cookie

    Evidence

Set-Cookie: rest_cookie

URL

https://mc.s7.exacttarget.com/rest/beta/automations/worker/instance/?process_instance_id=bTdmemdzQTJvRXlOTHpnXzBlZDFTUToyODow&_=1498843507480

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/AutomationStudioFuel3/update-token.json?_=1498846080558

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=25&begin_date=2017-05-30&end_date=2017-06-30&order_by=StartTime%20desc&to_server_time=1&_=1498843507360

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/Y1FuS2N4ZFV4MGU4emJnYXlkQ0NEQToyNTow/?_=1498843507515

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest//beta/folder/?where=allowedtypes%20in%20(%27dataextension%27,%27shared_data%27,%27shared_dataextension%27,%27salesforcedataextension%27,%27shared_salesforcedataextension%27)&$top=250&_=1498855402480

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/?_=1498843507508

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507351

    Method

GET

    Parameter

ADRUM_BT

    Evidence

Set-Cookie: ADRUM_BT

Instances

544

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507257

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507342

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/AutomationStudioFuel3/fonts/glyphicons-halflings-regular.woff2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=50&order_by=StartTime%20desc&_=1498843507363

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=50&order_by=StartTime%20desc&_=1498843507230

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=5&order_by=StartTime%20desc&to_server_time=1&_=1498843507260

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=5&order_by=StartTime%20desc&to_server_time=1&_=1498843507284

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=5&order_by=StartTime%20desc&to_server_time=1&_=1498843507066

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507147

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507365

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=50&order_by=StartTime%20desc&_=1498843507168

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=50&order_by=StartTime%20desc&_=1498843507144

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=5&order_by=StartTime%20desc&to_server_time=1&_=1498843507150

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=25&begin_date=2017-05-30&end_date=2017-06-30&order_by=StartTime%20desc&to_server_time=1&_=1498843507307

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=50&order_by=StartTime%20desc&_=1498843507256

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/worker/instance/?process_instance_id=NTRpdVhwcHVVRXVjZjI2VDFnblBEQToyODow&_=1498843507364

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=50&order_by=StartTime%20desc&_=1498843507341

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/?_=1498843507531

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/worker/instance/?process_instance_id=YmczSXR6eWtQa0dTYTVnSHpCNWN5dzoyODow&_=1498843507073

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://mc.s7.exacttarget.com/rest/beta/automations/worker/instance/?process_instance_id=aUdsTVlaOGJuVU9Hd1R5QUVLbFRBUToyODow&_=1498843507472

    Method

GET

    Parameter

X-Content-Type-Options

Instances

484

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=Y1FuS2N4ZFV4MGU4emJnYXlkQ0NEQToyNTow&$top=25&begin_date=2017-05-30&end_date=2017-06-30&order_by=StartTime%20desc&to_server_time=1&_=1498843507512

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=Y1FuS2N4ZFV4MGU4emJnYXlkQ0NEQToyNTow&$top=50&order_by=StartTime%20desc&_=1498843507471

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=25&begin_date=2017-05-30&end_date=2017-06-30&order_by=StartTime%20desc&to_server_time=1&_=1498843507277

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest//beta/folder/?where=allowedtypes%20in%20(%27dataextension%27,%27shared_data%27,%27shared_dataextension%27,%27salesforcedataextension%27,%27shared_salesforcedataextension%27)&$top=250&_=1498855402480

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest//beta/folder/33261/

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=25&begin_date=2017-05-30&end_date=2017-06-30&order_by=StartTime%20desc&to_server_time=1&_=1498843507253

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/worker/instance/?process_instance_id=bUwySUJHdGVka1NKM1RLRUk3RHN5UToyODow&_=1498843507246

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/Y1FuS2N4ZFV4MGU4emJnYXlkQ0NEQToyNTow/?_=1498843507515

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/worker/instance/?process_instance_id=bTdmemdzQTJvRXlOTHpnXzBlZDFTUToyODow&_=1498843507480

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507181

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=5&order_by=StartTime%20desc&to_server_time=1&_=1498843507303

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=5&order_by=StartTime%20desc&to_server_time=1&_=1498843507327

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=50&order_by=StartTime%20desc&_=1498843507093

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507351

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507074

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=5&order_by=StartTime%20desc&to_server_time=1&_=1498843507324

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/

    Method

POST

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507243

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507099

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=50&order_by=StartTime%20desc&_=1498843507319

    Method

GET

    Parameter

Cache-Control

    Evidence

private

Instances

441

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://mc.s7.exacttarget.com/cloud/login.html?hash=logged-inIw%3d%3d

    Method

GET

    Parameter

X-XSS-Protection

URL

https://mc.s7.exacttarget.com/cloud/login.html?hash=logged-inI2FwcC9FbWFpbC9DMTIvRGVmYXVsdC5hc3B4P2VudGl0eVR5cGU9bm9uZSZlbnRpdHlJRD0wJTIzU3Vic2NyaWJlcnMvQ3VzdG9tT2JqZWN0cy8zMzI2Mi8_dHM9MTQ5ODg1NTMxODU4MA==

    Method

GET

    Parameter

X-XSS-Protection

URL

https://mc.s7.exacttarget.com/cloud/

    Method

GET

    Parameter

X-XSS-Protection

URL

https://mc.s7.exacttarget.com/cloud/tools/SSO.aspx?legacy=1&env=default&appId=6DF293A1-4FDC-41CD-AA08-89EFC793C33C&hp=dmZFdTZzVXY0WVk9

    Method

GET

    Parameter

X-XSS-Protection

URL

https://mc.s7.exacttarget.com/cloud/legacy-dashboard.html?hub=1

    Method

GET

    Parameter

X-XSS-Protection

URL

https://mc.s7.exacttarget.com/AutomationStudioFuel3/?hub=1

    Method

GET

    Parameter

X-XSS-Protection

Instances

6

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Content-Type Header Missing

Description

The Content-Type header was either missing or empty.

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=25&begin_date=2017-05-30&end_date=2017-06-30&order_by=StartTime%20desc&to_server_time=1&_=1498843507110

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=Y1FuS2N4ZFV4MGU4emJnYXlkQ0NEQToyNTow&$top=25&begin_date=2017-05-30&end_date=2017-06-30&order_by=StartTime%20desc&to_server_time=1&_=1498843507504

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=5&order_by=StartTime%20desc&to_server_time=1&_=1498843507314

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507164

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=Y1FuS2N4ZFV4MGU4emJnYXlkQ0NEQToyNTow&$top=50&order_by=StartTime%20desc&_=1498843507423

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=25&begin_date=2017-05-30&end_date=2017-06-30&order_by=StartTime%20desc&to_server_time=1&_=1498843507208

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=25&begin_date=2017-05-30&end_date=2017-06-30&order_by=StartTime%20desc&to_server_time=1&_=1498843507312

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/Y1FuS2N4ZFV4MGU4emJnYXlkQ0NEQToyNTow/?_=1498843507421

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=Y1FuS2N4ZFV4MGU4emJnYXlkQ0NEQToyNTow&$top=5&order_by=StartTime%20desc&to_server_time=1&_=1498843507422

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=50&order_by=StartTime%20desc&_=1498843507211

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=Y1FuS2N4ZFV4MGU4emJnYXlkQ0NEQToyNTow&$top=25&begin_date=2017-05-30&end_date=2017-06-30&order_by=StartTime%20desc&to_server_time=1&_=1498843507420

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507109

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=5&order_by=StartTime%20desc&to_server_time=1&_=1498843507165

    Method

GET

URL

https://mc.s7.exacttarget.com/rest//beta/folder/33262/

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=50&order_by=StartTime%20desc&_=1498843507166

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507313

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507209

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/instance/?definition_id=MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow&$top=5&order_by=StartTime%20desc&to_server_time=1&_=1498843507210

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/bulk/automations/automation/definition/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507162

    Method

GET

URL

https://mc.s7.exacttarget.com/rest/beta/automations/automation/definition/health/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow/?_=1498843507111

    Method

GET

Instances

31

Solution

Ensure each page is setting the specific and appropriate content-type value for the content being delivered.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

CWE Id

345

WASC Id

12

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://mem.gfx.ms/meversion?partner=msdocs&market=en-us

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://members.s7.exacttarget.com/Content/NavTreeAjax.aspx?NavSection=Subscribers&NodeID=33737

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=13%3A47%3A01%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://members.s7.exacttarget.com/C12/Scripts/Utilities/update-token.ashx?_=1498855402477

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=13%3A44%3A39%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://members.s7.exacttarget.com/Content/NavTreeAjax.aspx?NavSection=Subscribers&NodeID=33736

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://members.s7.exacttarget.com/C12/Scripts/Utilities/update-token.ashx?_=1498855402466

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=16%3A03%3A25%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=11%3A15%3A46%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://members.s7.exacttarget.com/Content/Async/TreeCallback.aspx?id=2890&type=dataextension&param=&tsd=true&testableDEsOnly=False&sendableDEsOnly=False&showCheck=False&includeFilteredDEs=False

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=12%3A57%3A06%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://members.s7.exacttarget.com/Content/NavTreeAjax.aspx?NavSection=Interactions&NodeID=33264

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://members.s7.exacttarget.com/C12/Scripts/Utilities/update-token.ashx?_=1498855402456

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://members.s7.exacttarget.com/C12/Scripts/Utilities/update-token.ashx?_=1498846262720

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://members.s7.exacttarget.com/Content/TreeNavItem.aspx?Section=subscribers&categoryID=33262&entityType=subscribers&entityID=1

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://members.s7.exacttarget.com/Content/Administration/SendManagement/SendDefinitionListing.aspx?saved=True&CategoryID=2888

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://members.s7.exacttarget.com/C12/Scripts/Utilities/update-token.ashx?v=155.3.2.9

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=13%3A56%3A47%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://members.s7.exacttarget.com/Content/Administration/SendManagement/SendDefinitionDetails.aspx?id=047a44a5-e65c-e711-82f4-00110a68cc95&CategoryID=2888

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://members.s7.exacttarget.com/C12/Scripts/Utilities/update-token.ashx?_=1498846262721

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://members.s7.exacttarget.com/Content/TreeNavItem.aspx?Section=subscribers&categoryID=2890

    Method

POST

    Parameter

Cache-Control

    Evidence

private

Instances

85

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinition.aspx?id=3ec96243-ebd7-4d61-a7a9-e188e321fd13&CategoryID=33264&CategoryName=Reengagement+Campaign

    Method

POST

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinition.aspx?id=3ac682ad-dae9-492a-8a46-13e99599f665&CategoryID=33264&CategoryName=Query

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinitionListing.aspx?CategoryID=2893&CategoryName=Query

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/TreeNavItem.aspx?Section=subscribers&categoryID=2890

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/TreeNavItem.aspx?Section=interactions&categoryID=2893

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/C12/Default.aspx?entityType=none&entityID=0

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinition.aspx?CategoryID=33264

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Init.aspx

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/Administration/SendManagement/SendDefinitionDetails.aspx?id=047a44a5-e65c-e711-82f4-00110a68cc95&CategoryID=2888

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinition.aspx?id=3ec96243-ebd7-4d61-a7a9-e188e321fd13&CategoryID=33264&CategoryName=Reengagement+Campaign

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/NavTree.aspx

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/Include/Init.aspx?MemberID=fe8d13727663057a72&EmployeeID=fe9a13767567077d77&BrandID=fe92137075660d7873&ImpersonatingEmployeeID=fe9a13767567077d77&ImpersonatingMemberID=fe8d13727663057a72&SFSubID=0&SFContactName=&c=true&entityType=&entityID=&entityAction=&s=True

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinition.aspx?id=3ac682ad-dae9-492a-8a46-13e99599f665&CategoryID=33264&CategoryName=Reengagement+Campaign

    Method

POST

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinitionListing.aspx?saved=true&CategoryID=33264&CategoryName=Reengagement+Campaign

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/SessionWarning.aspx?pl=7003320&c=fea0

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/TreeNavItem.aspx?Section=subscribers&categoryID=2890

    Method

POST

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinitionListing.aspx?saved=true&CategoryID=33264&CategoryName=Query

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinitionListing.aspx?CategoryID=33264&CategoryName=Reengagement&

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/left_nav.aspx

    Method

GET

    Parameter

X-XSS-Protection

URL

https://members.s7.exacttarget.com/Content/TreeNavItem.aspx?Section=subscribers&categoryID=33262&entityType=subscribers&entityID=1

    Method

GET

    Parameter

X-XSS-Protection

Instances

30

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://members.s7.exacttarget.com/Content/javascripts/JsGlobalBridge.aspx?r=ETEmail.Utilities

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=13%3A41%3A53%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://members.s7.exacttarget.com/Controls/TabStrip/TabStripStyle.aspx

    Method

GET

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

URL

https://members.s7.exacttarget.com/Content/TreeNavItem.aspx?Section=subscribers&categoryID=33262&entityType=subscribers&entityID=1

    Method

GET

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

URL

https://members.s7.exacttarget.com/Error.aspx?aspxerrorpath=/C12/%25%25=v(@coll_img)=%25%25

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=13%3A56%3A47%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

URL

https://members.s7.exacttarget.com/Content/NavTreeAjax.aspx?NavSection=Interactions&NodeID=2893

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=13%3A59%3A50%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=11%3A13%3A46%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://members.s7.exacttarget.com/Error.aspx?aspxerrorpath=/C12/%25%25=CONCAT(@image_base_url,%20@prod_img)=%25%25

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=16%3A02%3A22%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://members.s7.exacttarget.com/Content/NavTreeAjax.aspx?NavSection=Subscribers&NodeID=33650

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=11%3A15%3A46%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=13%3A50%3A08%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://members.s7.exacttarget.com/C12/Scripts/Utilities/update-token.ashx?_=1498846262693

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://members.s7.exacttarget.com/Content/javascripts/JsGlobalBridge.aspx?r=ETEmail.ColorPicker

    Method

GET

    Parameter

ADRUM_BTa

    Evidence

Set-Cookie: ADRUM_BTa

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinition.aspx?id=3ec96243-ebd7-4d61-a7a9-e188e321fd13&CategoryID=33264&CategoryName=Reengagement+Campaign

    Method

POST

    Parameter

ADRUM_BTs

    Evidence

Set-Cookie: ADRUM_BTs

URL

https://members.s7.exacttarget.com/C12/Scripts/Utilities/update-token.ashx?_=1498846262687

    Method

GET

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinitionListing.aspx?saved=true&CategoryID=33264&CategoryName=Query

    Method

GET

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

URL

https://members.s7.exacttarget.com/Content/NavTreeAjax.aspx?NavSection=Interactions&NodeID=33264

    Method

GET

    Parameter

ADRUM_BT1

    Evidence

Set-Cookie: ADRUM_BT1

Instances

176

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://members.s7.exacttarget.com/Content/javascripts/utilities.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Init.aspx

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/NavTreeAjax.aspx?Action=collapse&NodeID=33262

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinitionListing.aspx?CategoryID=33264&CategoryName=Query

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=14%3A01%3A16%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/TreeNavItem.aspx?Section=interactions&categoryID=2893

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/Async/TreeCallback.aspx?id=33261&type=dataextension&tsd=True&ge=True&showCheck=False&draggable=False&selectablefolders=False&isGlobal=false&param=&sendableDEsOnly=False&testableDEsOnly=False&refreshGroupsOnly=False&dataFilterObjectType=&aeo=false&includeFilteredDEs=False&isCMS=False

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/NavTreeAjax.aspx?NavSection=Subscribers&NodeID=2890

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=16%3A02%3A22%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/Administration/SendManagement/SendDefinitionListing.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Error.aspx?aspxerrorpath=/C12/%25%25=CONCAT(@image_base_url,%20@prod_img)=%25%25

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/Async/TreeCallback.aspx?id=33262&type=dataextension&tsd=True&ge=True&showCheck=False&draggable=False&selectablefolders=False&isGlobal=false&param=&sendableDEsOnly=False&testableDEsOnly=False&refreshGroupsOnly=False&dataFilterObjectType=&aeo=false&includeFilteredDEs=False&isCMS=False

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Controls/Forms/ETDialog.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=11%3A12%3A37%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=13%3A24%3A24%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/ExtendSession.aspx?d=11%3A17%3A46%20GMT-0700%20%28PDT%29&Extend%20Session

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/javascripts/JsGlobalBridge.aspx?r=ETEmail.ColorPicker

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Error.aspx?aspxerrorpath=/C12/%25%25=v(@coll_img)=%25%25

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/Interactions/Query/QueryDefinition.aspx?id=3ec96243-ebd7-4d61-a7a9-e188e321fd13&CategoryID=33264&CategoryName=Reengagement+Campaign

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://members.s7.exacttarget.com/Content/TreeNavItem.aspx?Section=subscribers&categoryID=33262&entityType=subscribers&entityID=1

    Method

POST

    Parameter

X-Content-Type-Options

Instances

109

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://members.s7.exacttarget.com/C12/Default.aspx?entityType=none&entityID=0

    Method

GET

    Parameter

//10861658.collect.igodigital.com/collect.js

    Evidence

<script type="text/javascript" src="//10861658.collect.igodigital.com/collect.js"></script>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://microsoft.bootstrap.fyre.co/bs3/v3.1/microsoft.fyre.co/381623/MWY1NmVmYzEtZTkwZi02OGRkLWNiMDItMmYyYmEyMTM3M2ZkLWVuLXVz/init

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=120, s-maxage=120

URL

https://microsoft.bootstrap.fyre.co/bs3/v3.1/microsoft.fyre.co/381623/MDkyYTkxOTYtYzQ1ZC0yNmU1LTVhOTgtM2ZhODk0NjkyNjY2LWVuLXVz/init

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=120, s-maxage=120

URL

https://microsoft.bootstrap.fyre.co/bs3/v3.1/microsoft.fyre.co/381623/ZWNlZGExNzktZTFmNS0yYTM2LTdlYjktNGU2MjVhOTM2MzAzLWVuLXVz/init

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=120, s-maxage=120

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://microsoft.bootstrap.fyre.co/bs3/v3.1/microsoft.fyre.co/381623/MDkyYTkxOTYtYzQ1ZC0yNmU1LTVhOTgtM2ZhODk0NjkyNjY2LWVuLXVz/init

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://microsoft.bootstrap.fyre.co/bs3/v3.1/microsoft.fyre.co/381623/ZWNlZGExNzktZTFmNS0yYTM2LTdlYjktNGU2MjVhOTM2MzAzLWVuLXVz/init

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://microsoft.bootstrap.fyre.co/bs3/v3.1/microsoft.fyre.co/381623/MWY1NmVmYzEtZTkwZi02OGRkLWNiMDItMmYyYmEyMTM3M2ZkLWVuLXVz/init

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://microsoft.stream1.fyre.co/servers/?domain=microsoft.fyre.co&collectionId=188967460

    Method

GET

    Parameter

Cache-Control

URL

https://microsoft.stream1.fyre.co/servers/?domain=microsoft.fyre.co&collectionId=188966188

    Method

GET

    Parameter

Cache-Control

URL

https://microsoft.stream1.fyre.co/servers/?domain=microsoft.fyre.co&collectionId=188966641

    Method

GET

    Parameter

Cache-Control

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://microsoft.stream1.fyre.co/servers/?domain=microsoft.fyre.co&collectionId=188967460

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://microsoft.stream1.fyre.co/servers/?domain=microsoft.fyre.co&collectionId=188966188

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://microsoft.stream1.fyre.co/servers/?domain=microsoft.fyre.co&collectionId=188966641

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://microsoftsto.112.2o7.net/b/ss/msstomsdn,msstomsdnforums/1/H.20.3/s14496688339057?AQB=1&ndh=1&t=30/5/2017%2010%3A46%3A19%205%20420&ns=microsoftsto&pageName=social.msdn%3A/forums/sqlserver/en-us/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime&g=https%3A//social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime%3Fforum%3Dtransactsql&r=https%3A//www.google.com/&cc=USD&ch=social.msdn&server=social.msdn.microsoft.com&events=event1%2Cevent10&c1=msdn&v1=D%3Dc1&c2=en-us&v2=D%3Dc2&c3=Implict%20converion%20from%20DATIME%20to%20SMALLDATETIME&v3=D%3Dc3&c4=social.msdn%3A%20forums&v4=D%3Dc4&c5=social.msdn%3A%20forums%3A%20%20sqlserver&v5=D%3Dc5&c6=social.msdn%3A%20forums%3A%20%20sqlserver%3A%20%20en-us&v6=D%3Dc6&c7=social.msdn%3A%20forums%3A%20%20sqlserver%3A%20%20en-us%3A%20%20fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa&v7=D%3Dc7&c9=forums&c10=D%3Dg&v10=D%3Dg&c11=non-library&c12=social.msdn.microsoft.com/forums/sqlserver/en-us/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime&c17=sqlserver&c21=sqlserver&v21=D%3DpageName&c22=sqlserver&c23=transactsql&v44=1498844779691_af65_a275_0c68_fde72896eff2&c45=fallback&v45=fallback&c46=social.msdn%3A/forums/sqlserver/en-us/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime&v46=D%3Dr&v47=D%3DUser-Agent&c50=1306&s=1920x1080&c=24&j=1.6&v=N&k=Y&bw=1350&bh=575&p=Widevine%20Content%20Decryption%20Module%3BChrome%20PDF%20Viewer%3BNative%20Client%3B&AQE=1

    Method

GET

    Parameter

s_vi

    Evidence

Set-Cookie: s_vi

Instances

1

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://microsoftsto.112.2o7.net/b/ss/msstomsdn,msstomsdnforums/1/H.20.3/s14496688339057?AQB=1&ndh=1&t=30/5/2017%2010%3A46%3A19%205%20420&ns=microsoftsto&pageName=social.msdn%3A/forums/sqlserver/en-us/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime&g=https%3A//social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime%3Fforum%3Dtransactsql&r=https%3A//www.google.com/&cc=USD&ch=social.msdn&server=social.msdn.microsoft.com&events=event1%2Cevent10&c1=msdn&v1=D%3Dc1&c2=en-us&v2=D%3Dc2&c3=Implict%20converion%20from%20DATIME%20to%20SMALLDATETIME&v3=D%3Dc3&c4=social.msdn%3A%20forums&v4=D%3Dc4&c5=social.msdn%3A%20forums%3A%20%20sqlserver&v5=D%3Dc5&c6=social.msdn%3A%20forums%3A%20%20sqlserver%3A%20%20en-us&v6=D%3Dc6&c7=social.msdn%3A%20forums%3A%20%20sqlserver%3A%20%20en-us%3A%20%20fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa&v7=D%3Dc7&c9=forums&c10=D%3Dg&v10=D%3Dg&c11=non-library&c12=social.msdn.microsoft.com/forums/sqlserver/en-us/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime&c17=sqlserver&c21=sqlserver&v21=D%3DpageName&c22=sqlserver&c23=transactsql&v44=1498844779691_af65_a275_0c68_fde72896eff2&c45=fallback&v45=fallback&c46=social.msdn%3A/forums/sqlserver/en-us/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime&v46=D%3Dr&v47=D%3DUser-Agent&c50=1306&s=1920x1080&c=24&j=1.6&v=N&k=Y&bw=1350&bh=575&p=Widevine%20Content%20Decryption%20Module%3BChrome%20PDF%20Viewer%3BNative%20Client%3B&AQE=1

    Method

GET

    Parameter

s_vi

    Evidence

Set-Cookie: s_vi

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://na50.lightning.force.com/cometd/40.0

    Method

POST

    Parameter

BAYEUX_BROWSER

    Evidence

Set-Cookie: BAYEUX_BROWSER

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

sid

    Evidence

Set-Cookie: sid

URL

https://na50.lightning.force.com/aura?r=23&Fingerprint.logFingerprint=1

    Method

POST

    Parameter

BrowserId

    Evidence

Set-Cookie: BrowserId

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

clientSrc

    Evidence

Set-Cookie: clientSrc

URL

https://na50.lightning.force.com/one/one.app

    Method

GET

    Parameter

sfdc-stream

    Evidence

Set-Cookie: sfdc-stream

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

RSID

    Evidence

Set-Cookie: RSID

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

SUPRM

    Evidence

Set-Cookie: SUPRM

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

sid_Client

    Evidence

Set-Cookie: sid_Client

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

SUORG

    Evidence

Set-Cookie: SUORG

URL

https://na50.lightning.force.com/one/one.app

    Method

GET

    Parameter

force-stream

    Evidence

Set-Cookie: force-stream

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

inst

    Evidence

Set-Cookie: inst

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

SUCSP

    Evidence

Set-Cookie: SUCSP

Instances

12

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://na50.lightning.force.com/aura?r=9&NewsPanel.getTeaserNews=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/aura?r=1&SystemMessage.getSystemMessages=1&TrialExperience.getTrialData=1&Favorites.getFavorites=1&Notifications.getInitializationValues=1&Header.getPermissions=1&PlatformStateManager.getTabByName=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/aura?r=10&TodayTasksCardDataManager.getTasks=1&Component.getComponent=1&TopDealsCardDataProvider.getTopDealsCardData=1&Assistant.getAssistantCardData=1&HostConfig.getConfigData=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/aura?r=19&PlatformStateManager.getActionOverrides=1&PlatformStateManager.getKeyPrefixesWithRecordTypes=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/aura?r=6&RecentRecordContainer.getRecords=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/cometd/40.0

    Method

POST

    Parameter

Cache-Control

    Evidence

private

URL

https://na50.lightning.force.com/aura?r=20&OpenCtiApiHandler.getSoftphoneConfig=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/one/one.app

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/aura?preloadActions

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/_nc_external/system/security/session/SessionTimeServlet?buster=1498857928141

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://na50.lightning.force.com/aura?r=3&Flexipage.getPage=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/aura?r=21&Fingerprint.logFingerprint=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/aura?r=13&InstrumentationBeacon.sendData=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/aura?r=15&Gear.getEditInfo=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/l/%7B%22mode%22%3A%22PROD%22%2C%22app%22%3A%22one%3Aone%22%2C%22fwuid%22%3A%22egTJsAb7_Esngaq3zUvPDw%22%2C%22loaded%22%3A%7B%22APPLICATION%40markup%3A%2F%2Fone%3Aone%22%3A%22Io3iMpQJM65fyjsQSubsag%22%7D%2C%22styleContext%22%3A%7B%22c%22%3A%22webkit%22%2C%22x%22%3A%5B%22isDesktop%22%5D%2C%22tokens%22%3A%5B%22markup%3A%2F%2Fforce%3AsldsTokens%22%2C%22markup%3A%2F%2Fforce%3Abase%22%2C%22markup%3A%2F%2Fforce%3AformFactorLarge%22%5D%7D%2C%22pathPrefix%22%3A%22%22%2C%22ls%22%3A%22YY%22%2C%22m%22%3A1%7D/app.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=3888000, public

URL

https://na50.lightning.force.com/aura?r=18&OpenCtiApiHandler.getSoftphoneConfig=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/aura?r=0&Flexipage.getPage=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/aura?r=17&TypeAheadDataProvider.getTypeaheadItems=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/aura?r=7&HeroChartDataProvider.getChartDataPoints=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://na50.lightning.force.com/aura?r=16&Notifications.getNotifications=1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

Instances

29

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

SUORG

    Evidence

Set-Cookie: SUORG

URL

https://na50.lightning.force.com/one/one.app

    Method

GET

    Parameter

sfdc-stream

    Evidence

Set-Cookie: sfdc-stream

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

RSID

    Evidence

Set-Cookie: RSID

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

SUPRM

    Evidence

Set-Cookie: SUPRM

URL

https://na50.lightning.force.com/cometd/40.0

    Method

POST

    Parameter

t

    Evidence

Set

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

inst

    Evidence

Set-Cookie: inst

URL

https://na50.lightning.force.com/aura?r=23&Fingerprint.logFingerprint=1

    Method

POST

    Parameter

BrowserId

    Evidence

Set-Cookie: BrowserId

URL

https://na50.lightning.force.com/one/one.app

    Method

GET

    Parameter

force-stream

    Evidence

Set-Cookie: force-stream

URL

https://na50.lightning.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQDFGh1MngkKI.C0DXyWfZhI5PgSrt4JnMhKyOtOOCyHMTW3plmTuUOcWidSyGTXg5ZvLMLIjm9LmOn5CEYzjrxwQOBin&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

SUCSP

    Evidence

Set-Cookie: SUCSP

Instances

9

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

sfdc_lv2

    Evidence

Set-Cookie: sfdc_lv2

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

lloopch_lpid

    Evidence

Set-Cookie: lloopch_lpid

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

disco

    Evidence

Set-Cookie: disco

URL

https://na50.salesforce.com/visualforce/session?url=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com&isdtp=vw

    Method

GET

    Parameter

79eb100099b9a8bf

    Evidence

Set-Cookie: 79eb100099b9a8bf

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

sid

    Evidence

Set-Cookie: sid

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

oid

    Evidence

Set-Cookie: oid

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

sid_Client

    Evidence

Set-Cookie: sid_Client

URL

https://na50.salesforce.com/one/one.app

    Method

GET

    Parameter

sfdc-stream

    Evidence

Set-Cookie: sfdc-stream

URL

https://na50.salesforce.com/visualforce/session?url=https%3A%2F%2Fna50.lightning.force.com%2Fone%2Fone.app

    Method

GET

    Parameter

79eb100099b9a8bf

    Evidence

Set-Cookie: 79eb100099b9a8bf

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

lloopch_loid

    Evidence

Set-Cookie: lloopch_loid

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

QCQQR3

    Evidence

Set-Cookie: QCQQR3

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

inst

    Evidence

Set-Cookie: inst

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

clientSrc

    Evidence

Set-Cookie: clientSrc

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

autocomplete

    Evidence

Set-Cookie: autocomplete

Instances

14

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

autocomplete

    Evidence

Set-Cookie: autocomplete

URL

https://na50.salesforce.com/one/one.app

    Method

GET

    Parameter

sfdc-stream

    Evidence

Set-Cookie: sfdc-stream

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

sfdc_lv2

    Evidence

Set-Cookie: sfdc_lv2

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

QCQQR3

    Evidence

Set-Cookie: QCQQR3

URL

https://na50.salesforce.com/secur/frontdoor.jsp?sid=00D6A00000027Fp%21AQIAQASEFcT8JUFlfwxmOg3siTj.25IYujf0TJYz3X.NOKrI3AKoUoa9F.5F3q5rIr6GaUN0giFOZOB9q.0jfqlPC4KhUArm&apv=1&allp=1&cshc=A000000Goq5A00000027Fp&display=page

    Method

GET

    Parameter

inst

    Evidence

Set-Cookie: inst

Instances

5

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://nexus-websocket-a.intercom.io/client-test

    Method

GET

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://nexus-websocket-a.intercom.io/client-test

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://nexus-websocket-b.intercom.io/client-test

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://nexus-websocket-b.intercom.io/client-test

    Method

GET

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://notification.adblockplus.org/notification.json?addonName=adblockforchrome&addonVersion=3.13.0&application=chrome&applicationVersion=59.0.3071.115&platform=chromium&platformVersion=59.0.3071.115&lastVersion=201706291622&downloadCount=4%2B

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://notification.adblockplus.org/notification.json?addonName=adblockforchrome&addonVersion=3.13.0&application=chrome&applicationVersion=59.0.3071.115&platform=chromium&platformVersion=59.0.3071.115&lastVersion=201706291622&downloadCount=4%2B

    Method

GET

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://notifications.google.com/u/0/widget?sourceid=243&hl=en&origin=https%3A%2F%2Fwww.google.com&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=21600

URL

https://notifications.google.com/u/0/widget?sourceid=300&hl=en&origin=https%3A%2F%2Fhangouts.google.com&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=21600

URL

https://notifications.google.com/u/1/widget?sourceid=49&hl=en&origin=https%3A%2F%2Fdrive.google.com&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=21600

URL

https://notifications.google.com/u/0/widget?sourceid=243&hl=en&origin=https%3A%2F%2Fwww.google.com&uc=1&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.BznCEch7yrY.O%2Fm%3D__features__%2Frt%3Dj%2Fd%3D1%2Frs%3DAHpOoo89FbxkNsIBOnpzYJliP4nzTuPXPg

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=21600

Instances

4

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://omtr2.partners.salesforce.com/id?callback=_airpr_ns.om_cookie

    Method

GET

    Parameter

s_vi

    Evidence

Set-Cookie: s_vi

Instances

1

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://omtr2.partners.salesforce.com/id?callback=_airpr_ns.om_cookie

    Method

GET

    Parameter

s_vi

    Evidence

Set-Cookie: s_vi

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://omtr2.partners.salesforce.com/id?callback=_airpr_ns.om_cookie

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://open-commenting.azurewebsites.net/collectionToken?network=microsoft.fyre.co&site_id=381623&title=smalldatetime%20(Transact-SQL)%20%7C%20Microsoft%20Docs&article_id=eceda179-e1f5-2a36-7eb9-4e625a936303-en-us&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Fdata-types%2Fsmalldatetime-transact-sql

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://open-commenting.azurewebsites.net/collectionToken?network=microsoft.fyre.co&site_id=381623&title=CASE%20(Transact-SQL)%20%7C%20Microsoft%20Docs&article_id=092a9196-c45d-26e5-5a98-3fa894692666-en-us&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://open-commenting.azurewebsites.net/collectionToken?network=microsoft.fyre.co&site_id=381623&title=CAST%20and%20CONVERT%20(Transact-SQL)%20%7C%20Microsoft%20Docs&article_id=1f56efc1-e90f-68dd-cb02-2f2ba21373fd-en-us&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Ffunctions%2Fcast-and-convert-transact-sql

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://open-commenting.azurewebsites.net/collectionToken?network=microsoft.fyre.co&site_id=381623&title=CASE%20(Transact-SQL)%20%7C%20Microsoft%20Docs&article_id=092a9196-c45d-26e5-5a98-3fa894692666-en-us&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000

URL

https://open-commenting.azurewebsites.net/collectionToken?network=microsoft.fyre.co&site_id=381623&title=smalldatetime%20(Transact-SQL)%20%7C%20Microsoft%20Docs&article_id=eceda179-e1f5-2a36-7eb9-4e625a936303-en-us&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Fdata-types%2Fsmalldatetime-transact-sql

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000

URL

https://open-commenting.azurewebsites.net/collectionToken?network=microsoft.fyre.co&site_id=381623&title=CAST%20and%20CONVERT%20(Transact-SQL)%20%7C%20Microsoft%20Docs&article_id=1f56efc1-e90f-68dd-cb02-2f2ba21373fd-en-us&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Ffunctions%2Fcast-and-convert-transact-sql

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://open-commenting.azurewebsites.net/collectionToken?network=microsoft.fyre.co&site_id=381623&title=smalldatetime%20(Transact-SQL)%20%7C%20Microsoft%20Docs&article_id=eceda179-e1f5-2a36-7eb9-4e625a936303-en-us&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Fdata-types%2Fsmalldatetime-transact-sql

    Method

GET

    Parameter

ARRAffinity

    Evidence

Set-Cookie: ARRAffinity

URL

https://open-commenting.azurewebsites.net/collectionToken?network=microsoft.fyre.co&site_id=381623&title=CAST%20and%20CONVERT%20(Transact-SQL)%20%7C%20Microsoft%20Docs&article_id=1f56efc1-e90f-68dd-cb02-2f2ba21373fd-en-us&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Ffunctions%2Fcast-and-convert-transact-sql

    Method

GET

    Parameter

ARRAffinity

    Evidence

Set-Cookie: ARRAffinity

URL

https://open-commenting.azurewebsites.net/collectionToken?network=microsoft.fyre.co&site_id=381623&title=CASE%20(Transact-SQL)%20%7C%20Microsoft%20Docs&article_id=092a9196-c45d-26e5-5a98-3fa894692666-en-us&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql

    Method

GET

    Parameter

ARRAffinity

    Evidence

Set-Cookie: ARRAffinity

Instances

3

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://open-rating-prod.azurewebsites.net/api/v2/user

    Method

POST

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://open-rating-prod.azurewebsites.net/api/v2/user

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://open-rating-prod.azurewebsites.net/api/v2/user

    Method

POST

    Parameter

ARRAffinity

    Evidence

Set-Cookie: ARRAffinity

URL

https://open-rating-prod.azurewebsites.net/api/v2/user

    Method

OPTIONS

    Parameter

ARRAffinity

    Evidence

Set-Cookie: ARRAffinity

Instances

2

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://p5.osdimg.com/g2mupdater/live/config.json

    Method

GET

    Parameter

Cache-Control

    Evidence

must-revalidate

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://p5.osdimg.com/g2mupdater/live/config.json

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://p52-availability.icloud.com:443/281702796/sharedstreams/status?feature=photos

    Method

GET

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://p52-availability.icloud.com:443/281702796/sharedstreams/status?feature=photos

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://p52-caldav.icloud.com/281702796/calendars/

    Method

REPORT

    Parameter

Cache-Control

URL

https://p52-caldav.icloud.com/mm/sub?token=433f630180965bc80f580d1ad1ed1bd66ad8a46d69c310c9daa93dfb1dba29b0&key=281702796-0799d3a361

    Method

POST

    Parameter

Cache-Control

URL

https://p52-caldav.icloud.com/mm/sub?token=433f630180965bc80f580d1ad1ed1bd66ad8a46d69c310c9daa93dfb1dba29b0&key=281702796-6cbf2718fd

    Method

POST

    Parameter

Cache-Control

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://p52-caldav.icloud.com/mm/sub?token=433f630180965bc80f580d1ad1ed1bd66ad8a46d69c310c9daa93dfb1dba29b0&key=281702796-0799d3a361

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://p52-caldav.icloud.com/281702796/calendars/

    Method

REPORT

    Parameter

X-Content-Type-Options

URL

https://p52-caldav.icloud.com/mm/sub?token=433f630180965bc80f580d1ad1ed1bd66ad8a46d69c310c9daa93dfb1dba29b0&key=281702796-6cbf2718fd

    Method

POST

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://p52-contacts.icloud.com/281702796/carddavhome/

    Method

PROPFIND

    Parameter

Cache-Control

URL

https://p52-contacts.icloud.com/281702796/principal/

    Method

PROPFIND

    Parameter

Cache-Control

URL

https://p52-contacts.icloud.com/281702796/carddavhome/card/

    Method

REPORT

    Parameter

Cache-Control

URL

https://p52-contacts.icloud.com/281702796/mm/push/register?token=433f630180965bc80f580d1ad1ed1bd66ad8a46d69c310c9daa93dfb1dba29b0&key=281702796

    Method

POST

    Parameter

Cache-Control

Instances

4

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://p52-contacts.icloud.com/281702796/carddavhome/

    Method

PROPFIND

    Parameter

X-Content-Type-Options

URL

https://p52-contacts.icloud.com/281702796/principal/

    Method

PROPFIND

    Parameter

X-Content-Type-Options

URL

https://p52-contacts.icloud.com/281702796/carddavhome/card/

    Method

REPORT

    Parameter

X-Content-Type-Options

URL

https://p52-contacts.icloud.com/281702796/mm/push/register?token=433f630180965bc80f580d1ad1ed1bd66ad8a46d69c310c9daa93dfb1dba29b0&key=281702796

    Method

POST

    Parameter

X-Content-Type-Options

Instances

4

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://p52-keyvalueservice.icloud.com/sync

    Method

POST

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Content-Type Header Missing

Description

The Content-Type header was either missing or empty.

URL

https://p52-keyvalueservice.icloud.com/sync

    Method

POST

Instances

1

Solution

Ensure each page is setting the specific and appropriate content-type value for the content being delivered.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

CWE Id

345

WASC Id

12

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://p52-quota.icloud.com:443/quotaservice/external/osx/281702796/storageUsageInfo

    Method

GET

    Parameter

Cache-Control

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://p52-quota.icloud.com:443/quotaservice/external/osx/281702796/storageUsageInfo

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://pd-nk.itunes.apple.com/WebObjects/MZPurchaseDaap.woa/purchase/login?guid=F45C89B50505

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://pd-nk.itunes.apple.com/WebObjects/MZPurchaseDaap.woa/purchase/databases/1497674392/items?includePreorders=1&guid=F45C89B50505

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://pd-nk.itunes.apple.com/WebObjects/MZPurchaseDaap.woa/purchase/update?guid=F45C89B50505

    Method

POST

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://peal.io/p/535/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/568/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/532/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/552/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/716/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/544/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/979/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/533/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/536/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/563/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/553/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/assets/application-a58b8ce00f450631297db4dfae1b81e9bf15ea950acc3c8ff1963571cbb625be.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=14400

URL

https://peal.io/p/540/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/550/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/560/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/707/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/soundboards/rick-and-morty

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/547/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/537/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://peal.io/p/710/play

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

Instances

24

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://peal.io/soundboards/rick-and-morty?page=2&_=1498857352305

    Method

GET

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/551/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/soundboards/rick-and-morty?_=1498857352306&page=3

    Method

GET

    Parameter

request_method

    Evidence

Set-Cookie: request_method

URL

https://peal.io/p/535/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/568/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/537/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/550/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/710/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/709/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/979/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/716/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/706/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/536/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/553/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/848/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/563/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/533/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/979/play

    Method

POST

    Parameter

request_method

    Evidence

Set-Cookie: request_method

URL

https://peal.io/p/547/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

URL

https://peal.io/p/560/play

    Method

POST

    Parameter

_peal_session

    Evidence

Set-Cookie: _peal_session

Instances

28

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://peal.io/p/551/play

    Method

POST

    Parameter

request_method

    Evidence

Set-Cookie: request_method

URL

https://peal.io/p/979/play

    Method

POST

    Parameter

request_method

    Evidence

Set-Cookie: request_method

URL

https://peal.io/soundboards/rick-and-morty?_=1498857352306&page=3

    Method

GET

    Parameter

request_method

    Evidence

Set-Cookie: request_method

Instances

3

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://peal.io/assets/application-a58b8ce00f450631297db4dfae1b81e9bf15ea950acc3c8ff1963571cbb625be.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://peal.io/assets/application-800838a143307c2f8aef0c50b527a59b1d54e5412bbff518959ad6694968100f.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://peal.io/javascripts/salvattore.min.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://peal.io/soundboards/rick-and-morty

    Method

GET

    Parameter

//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-4e9e731461d9e491

    Evidence

<script async="async" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-4e9e731461d9e491" type="text/javascript"></script>

URL

https://peal.io/soundboards/rick-and-morty

    Method

GET

    Parameter

//platform.twitter.com/widgets.js

    Evidence

<script src="//platform.twitter.com/widgets.js"></script>

URL

https://peal.io/soundboards/rick-and-morty

    Method

GET

    Parameter

//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js

    Evidence

<script async="async" src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>

Instances

3

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://people-pa.clients6.google.com/v2/people/lookup

    Method

POST

    Parameter

Cache-Control

    Evidence

private

URL

https://people-pa.clients6.google.com/v2/people/

    Method

POST

    Parameter

Cache-Control

    Evidence

private

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://pixel.quantserve.com/pixel;r=747243663;rf=0;uh=7979cfc11abf;a=p-9tnwrxnK1azF1;url=https%3A%2F%2Ftrello.com%2F;fpan=0;fpa=P0-1295625184-1488421323034;ns=0;ce=1;cm=;ref=;je=0;sr=1920x1080x24;enc=n;dst=1;et=1498841980007;tzo=420;ogl=

    Method

GET

    Parameter

d

    Evidence

Set-Cookie: d

URL

https://pixel.quantserve.com/pixel;r=1842237088;rf=0;uh=7979cfc11abf;a=p-9tnwrxnK1azF1;url=https%3A%2F%2Ftrello.com%2F;ref=https%3A%2F%2Ftrello.com%2Flogin;fpan=0;fpa=P0-1295625184-1488421323034;ns=0;ce=1;cm=;je=0;sr=1920x1080x24;enc=n;dst=1;et=1498842167679;tzo=420;ogl=

    Method

GET

    Parameter

d

    Evidence

Set-Cookie: d

URL

https://pixel.quantserve.com/pixel;r=356124883;rf=0;a=p-9tnwrxnK1azF1;url=https%3A%2F%2Ftrello.com%2Flogged-out;ref=https%3A%2F%2Ftrello.com%2F;fpan=0;fpa=P0-1295625184-1488421323034;ns=0;ce=1;cm=;je=0;sr=1920x1080x24;enc=n;dst=1;et=1498842159790;tzo=420;ogl=

    Method

GET

    Parameter

d

    Evidence

Set-Cookie: d

URL

https://pixel.quantserve.com/pixel;r=851749931;rf=0;a=p-9tnwrxnK1azF1;url=https%3A%2F%2Ftrello.com%2Flogin;ref=https%3A%2F%2Ftrello.com%2Flogged-out;fpan=0;fpa=P0-1295625184-1488421323034;ns=0;ce=1;cm=;je=0;sr=1920x1080x24;enc=n;dst=1;et=1498842163720;tzo=420;ogl=

    Method

GET

    Parameter

d

    Evidence

Set-Cookie: d

URL

https://pixel.quantserve.com/pixel;r=235229601;rf=0;uh=7979cfc11abf;a=p-9tnwrxnK1azF1;url=https%3A%2F%2Ftrello.com%2F;ref=https%3A%2F%2Ftrello.com%2Flogin;fpan=0;fpa=P0-1295625184-1488421323034;ns=0;ce=1;cm=;je=0;sr=1920x1080x24;enc=n;dst=1;et=1498844391788;tzo=420;ogl=

    Method

GET

    Parameter

d

    Evidence

Set-Cookie: d

Instances

5

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://pixel.quantserve.com/pixel;r=235229601;rf=0;uh=7979cfc11abf;a=p-9tnwrxnK1azF1;url=https%3A%2F%2Ftrello.com%2F;ref=https%3A%2F%2Ftrello.com%2Flogin;fpan=0;fpa=P0-1295625184-1488421323034;ns=0;ce=1;cm=;je=0;sr=1920x1080x24;enc=n;dst=1;et=1498844391788;tzo=420;ogl=

    Method

GET

    Parameter

d

    Evidence

Set-Cookie: d

URL

https://pixel.quantserve.com/pixel;r=1842237088;rf=0;uh=7979cfc11abf;a=p-9tnwrxnK1azF1;url=https%3A%2F%2Ftrello.com%2F;ref=https%3A%2F%2Ftrello.com%2Flogin;fpan=0;fpa=P0-1295625184-1488421323034;ns=0;ce=1;cm=;je=0;sr=1920x1080x24;enc=n;dst=1;et=1498842167679;tzo=420;ogl=

    Method

GET

    Parameter

d

    Evidence

Set-Cookie: d

URL

https://pixel.quantserve.com/pixel;r=851749931;rf=0;a=p-9tnwrxnK1azF1;url=https%3A%2F%2Ftrello.com%2Flogin;ref=https%3A%2F%2Ftrello.com%2Flogged-out;fpan=0;fpa=P0-1295625184-1488421323034;ns=0;ce=1;cm=;je=0;sr=1920x1080x24;enc=n;dst=1;et=1498842163720;tzo=420;ogl=

    Method

GET

    Parameter

d

    Evidence

Set-Cookie: d

URL

https://pixel.quantserve.com/pixel;r=747243663;rf=0;uh=7979cfc11abf;a=p-9tnwrxnK1azF1;url=https%3A%2F%2Ftrello.com%2F;fpan=0;fpa=P0-1295625184-1488421323034;ns=0;ce=1;cm=;ref=;je=0;sr=1920x1080x24;enc=n;dst=1;et=1498841980007;tzo=420;ogl=

    Method

GET

    Parameter

d

    Evidence

Set-Cookie: d

URL

https://pixel.quantserve.com/pixel;r=356124883;rf=0;a=p-9tnwrxnK1azF1;url=https%3A%2F%2Ftrello.com%2Flogged-out;ref=https%3A%2F%2Ftrello.com%2F;fpan=0;fpa=P0-1295625184-1488421323034;ns=0;ce=1;cm=;je=0;sr=1920x1080x24;enc=n;dst=1;et=1498842159790;tzo=420;ogl=

    Method

GET

    Parameter

d

    Evidence

Set-Cookie: d

Instances

5

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://platform.twitter.com/js/button.2ef3f9ec66d99ca2876b5333fb68c892.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://platform.twitter.com/jot.html

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://platform.twitter.com/widgets.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://platform.twitter.com/widgets/follow_button.bac917c749f65aefd5f37c272c7c3538.en.html

    Method

GET

    Parameter

X-Content-Type-Options

Instances

4

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://platform.twitter.com/jot.html

    Method

GET

    Parameter

X-XSS-Protection

URL

https://platform.twitter.com/widgets/follow_button.bac917c749f65aefd5f37c272c7c3538.en.html

    Method

GET

    Parameter

X-XSS-Protection

Instances

2

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://platform.twitter.com/jot.html

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=315360000

URL

https://platform.twitter.com/widgets/follow_button.bac917c749f65aefd5f37c272c7c3538.en.html

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=315360000

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://play.google.com/log?format=json&u=1&authuser=1

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://play.google.com/log?format=json&u=0&authuser=0

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://play.google.com/log?format=json

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://play.google.com/log?authuser=0

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://play.google.com/log?format=json&authuser=0

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://play.google.com/log?format=json&authuser=1

    Method

POST

    Parameter

X-Content-Type-Options

Instances

6

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://play.google.com/log?format=json&u=1&authuser=1

    Method

POST

    Parameter

NID

    Evidence

Set-Cookie: NID

URL

https://play.google.com/log?format=json&u=0&authuser=0

    Method

POST

    Parameter

NID

    Evidence

Set-Cookie: NID

URL

https://play.google.com/log?format=json

    Method

POST

    Parameter

NID

    Evidence

Set-Cookie: NID

Instances

3

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://play.google.com/log?format=json&u=0&authuser=0

    Method

POST

    Parameter

Cache-Control

    Evidence

private

URL

https://play.google.com/log?format=json&u=1&authuser=1

    Method

POST

    Parameter

Cache-Control

    Evidence

private

URL

https://play.google.com/log?authuser=0

    Method

POST

    Parameter

Cache-Control

    Evidence

private

URL

https://play.google.com/log?format=json&authuser=0

    Method

POST

    Parameter

Cache-Control

    Evidence

private

URL

https://play.google.com/log?format=json&authuser=1

    Method

POST

    Parameter

Cache-Control

    Evidence

private

URL

https://play.google.com/log?format=json

    Method

POST

    Parameter

Cache-Control

    Evidence

private

Instances

6

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://play.itunes.apple.com/WebObjects/MZPlay.woa/wa/signSapSetup?guid=F45C89B50505

    Method

POST

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://profile-images.scdn.co/images/userprofile/default/4a0224217b4367153718437f05744bf066abf96f

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://ps1.pubnub.com/time/0?uuid=c8eebd9e-f813-474a-bbd8-a8bbece0b96d&pnsdk=PubNub-JS-Web%2F3.7.23

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://ps3.pubnub.com/time/0?uuid=06b1dbe1-b21b-41c4-8666-473f6e222849&pnsdk=PubNub-JS-Web%2F3.7.23

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://ps4.pubnub.com/subscribe/sub-c-b8b9cd8c-e906-11e2-b383-02ee2ddab7fe/744840668962178_9e229094/0/14988579401338067?uuid=06b1dbe1-b21b-41c4-8666-473f6e222849&pnsdk=PubNub-JS-Web%2F3.7.23

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://ps4.pubnub.com/subscribe/sub-c-b8b9cd8c-e906-11e2-b383-02ee2ddab7fe/744840668962178_9e229094/0/0?uuid=06b1dbe1-b21b-41c4-8666-473f6e222849&pnsdk=PubNub-JS-Web%2F3.7.23

    Method

GET

    Parameter

X-Content-Type-Options

Instances

2

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://public-api.wordpress.com/rest/v1/batch?http_envelope=1&urls%5B%5D=/me&urls%5B%5D=/sites/105475391/posts/538/likes&urls%5B%5D=/sites/105475391/posts/538/reblogs/mine&urls%5B%5D=/sites/105475391/posts/538/likes&urls%5B%5D=/sites/105475391/posts/538/reblogs/mine

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, must-revalidate, max-age=0

URL

https://public-api.wordpress.com/connect/?googleplus-sign-in=https%3A%2F%2Fteamforcesite.wordpress.com

    Method

GET

    Parameter

Cache-Control

URL

https://public-api.wordpress.com/wp-admin/rest-proxy/

    Method

GET

    Parameter

Cache-Control

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://public-api.wordpress.com/wp-admin/rest-proxy/

    Method

GET

    Parameter

wp_api

    Evidence

Set-Cookie: wp_api

Instances

1

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://public-api.wordpress.com/wp-admin/rest-proxy/

    Method

GET

    Parameter

X-XSS-Protection

URL

https://public-api.wordpress.com/connect/?googleplus-sign-in=https%3A%2F%2Fteamforcesite.wordpress.com

    Method

GET

    Parameter

X-XSS-Protection

Instances

2

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://public-api.wordpress.com/wp-admin/rest-proxy/

    Method

GET

    Parameter

//s0.wp.com/_static/??/wp-includes/js/jquery/jquery.js,/wp-content/js/postmessage.js?m=1377267974j

    Evidence

<script type='text/javascript' src='//s0.wp.com/_static/??/wp-includes/js/jquery/jquery.js,/wp-content/js/postmessage.js?m=1377267974j'></script>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://public-api.wordpress.com/rest/v1/batch?http_envelope=1&urls%5B%5D=/me&urls%5B%5D=/sites/105475391/posts/538/likes&urls%5B%5D=/sites/105475391/posts/538/reblogs/mine&urls%5B%5D=/sites/105475391/posts/538/likes&urls%5B%5D=/sites/105475391/posts/538/reblogs/mine

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://public-api.wordpress.com/connect/googleplus-sign-in.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://public-api.wordpress.com/wp-admin/rest-proxy/

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://public-api.wordpress.com/connect/?googleplus-sign-in=https%3A%2F%2Fteamforcesite.wordpress.com

    Method

GET

    Parameter

X-Content-Type-Options

Instances

4

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://r5---sn-n4v7sn7z.googlevideo.com/videoplayback?id=fdd34a4af3fca966&itag=140&source=youtube&requiressl=yes&ei=QsdWWYXWBZ6q_AOi8KjoDA&ms=au&initcwndbps=1823750&mv=m&pl=16&mm=31&mn=sn-n4v7sn7z&ratebypass=yes&mime=audio%2Fmp4&otfp=1&gir=yes&clen=1788330&lmt=1496785824828913&dur=112.454&signature=63CC71493E8AC450CD9FBC58312D775E3F808111.02BDF060533B690EA6658890B662245948157A9E&mt=1498859210&key=dg_yt0&cpn=t2tSX_mxEEcLfoaa&mpd_version=5&ip=73.170.79.207&ipbits=0&expire=1498880930&sparams=ip,ipbits,expire,id,itag,source,requiressl,ei,ms,initcwndbps,mv,pl,mm,mn,ratebypass,mime,otfp,gir,clen,lmt,dur&alr=yes&keepalive=yes&c=WEB&cver=1.20170627&range=0-591&rn=1&rbuf=0

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=21299

URL

https://r5---sn-n4v7sn7z.googlevideo.com/videoplayback?id=fdd34a4af3fca966&itag=134&source=youtube&requiressl=yes&ei=QsdWWYXWBZ6q_AOi8KjoDA&ms=au&initcwndbps=1823750&mv=m&pl=16&mm=31&mn=sn-n4v7sn7z&ratebypass=yes&mime=video%2Fmp4&otfp=1&gir=yes&clen=1031491&lmt=1496785838856643&dur=112.399&signature=4FC15E76103357B4F3A1FB64066C4DEA3CDD44E4.3583767355D90C633C37E0DBA54B436622310194&mt=1498859210&key=dg_yt0&cpn=t2tSX_mxEEcLfoaa&mpd_version=5&ip=73.170.79.207&ipbits=0&expire=1498880930&sparams=ip,ipbits,expire,id,itag,source,requiressl,ei,ms,initcwndbps,mv,pl,mm,mn,ratebypass,mime,otfp,gir,clen,lmt,dur&alr=yes&keepalive=yes&c=WEB&cver=1.20170627&range=0-714&rn=0&rbuf=0

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=21299

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

sid

    Evidence

Set-Cookie: sid

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

SUCSP

    Evidence

Set-Cookie: SUCSP

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

SUPRM

    Evidence

Set-Cookie: SUPRM

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

sid_Client

    Evidence

Set-Cookie: sid_Client

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

RSID

    Evidence

Set-Cookie: RSID

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

SUORG

    Evidence

Set-Cookie: SUORG

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

clientSrc

    Evidence

Set-Cookie: clientSrc

URL

https://rcsfl.na50.visual.force.com/apexremote

    Method

POST

    Parameter

79eb100099b9a8bf

    Evidence

Set-Cookie: 79eb100099b9a8bf

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

inst

    Evidence

Set-Cookie: inst

Instances

9

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://rcsfl.na50.visual.force.com/apexremote

    Method

POST

    Parameter

Cache-Control

    Evidence

private

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

inst

    Evidence

Set-Cookie: inst

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

SUPRM

    Evidence

Set-Cookie: SUPRM

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

SUORG

    Evidence

Set-Cookie: SUORG

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

RSID

    Evidence

Set-Cookie: RSID

URL

https://rcsfl.na50.visual.force.com/visualforce/recsession?sid=00D6A00000027Fp%21AQIAQJJebgAydexVrFskp4yKH0Y2hAd7sE4DmqusGTZdMMm7J8TZ8LHvrklKtJPYwE7qMKLCfJey0DKhydCVna4GXaWp7vSt&inst=6A&cshc=A000000Goq5A00000027Fp&retURL=https%3A%2F%2Frcsfl.na50.visual.force.com%2Fapex%2Frcsfl__OpenCTIIndex999%3Fmode%3DLightning%26isdtp%3Dvw%26sfdcIframeOrigin%3Dhttps%253A%252F%252Fna50.lightning.force.com

    Method

GET

    Parameter

SUCSP

    Evidence

Set-Cookie: SUCSP

Instances

5

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://rules.quantcount.com/rules-p-9tnwrxnK1azF1.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://s.zkcdn.net/Extensions/adFeedback.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=604800

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://s.zkcdn.net/Extensions/adFeedback.css

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://s0.wp.com/_static/??-eJzTLy/QTc7PK0nNK9EvyClNz8wr1i+uzCtJrMjITM/IAeKS1CJMEWP94uSizIISoOIM5/yiVL2sYh19yo1yKiotzvBKLEsEmmefa2toYmRkbGJkaGySBQDQrj/5

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s0.wp.com/i/noticons/noticons.css?ver=20170206

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s0.wp.com/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css?m=1363304414h&amp;ver=3.0.9b

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s0.wp.com/wp-content/mu-plugins/global-print/global-print.css?m=1465851035h

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s0.wp.com/wp-content/js/postmessage.js?ver=20170206

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s0.wp.com/wp-includes/js/jquery/jquery.js?ver=20170206

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s0.wp.com/wp-includes/js/underscore.min.js?ver=20170206

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s0.wp.com/wp-content/js/jquery/jquery.wpcom-proxy-request.js?ver=20170206

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s0.wp.com/wp-content/js/jed/jed.js?ver=20170206

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s0.wp.com/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css?ver=3.0.9b

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s0.wp.com/_static/??/wp-includes/js/jquery/jquery.js,/wp-content/js/postmessage.js?m=1377267974j

    Method

GET

    Parameter

X-Content-Type-Options

Instances

11

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://s0.wp.com/wp-content/mu-plugins/global-print/global-print.css?m=1465851035h

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

URL

https://s0.wp.com/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css?ver=3.0.9b

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

URL

https://s0.wp.com/i/noticons/noticons.css?ver=20170206

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

URL

https://s0.wp.com/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css?m=1363304414h&amp;ver=3.0.9b

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

Instances

4

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://s1.wp.com/_static/??-eJx9jdEKgiEMRl8oG1ZQXUTP4m/LFurETaS3z+hGiP6777AdDvRiPGfFrJCaKbEFygIBM1Yahz9z60U2MLn6wIQCpS2wNFXOQNmD6Cui6cVz+jGmWqdbQBUQ9uSi+cZmWJMDsonsndKIzmDu0VFdUysukcOYAcbXhB/pmi72cD7uTtbu7fMNj59u9Q==

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

URL

https://s1.wp.com/wp-content/mu-plugins/carousel/jetpack-carousel.css?m=1481571546h

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

URL

https://s1.wp.com/wp-content/mu-plugins/highlander-comments/style.css?m=1377793621h

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

URL

https://s1.wp.com/_static/??-eJx9j90OwiAMhV9IrEv8mRfGZwHWTJQCWUsW315wUaMzu2na5nw9PTAmZWMQDAKUVfK5d4FhTDaSYnIe7z/T2jKv4D/m3Q0ZrihJ25t6TjO58bH/+MSh0x1D76PRfum0jQOWPSUtVUHYOY0eqciWMEr7F1XbS/lrMcEU1Zg0ILMqlVwmJZditMgVqr4yZYYi/N5MqIMQxRWa383s5mQFKRswWSQGYLl7rLoznZpte9wcdk3bXh8CN6W4

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

Instances

4

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://s1.wp.com/_static/??-eJx9jdEKgiEMRl8oG1ZQXUTP4m/LFurETaS3z+hGiP6777AdDvRiPGfFrJCaKbEFygIBM1Yahz9z60U2MLn6wIQCpS2wNFXOQNmD6Cui6cVz+jGmWqdbQBUQ9uSi+cZmWJMDsonsndKIzmDu0VFdUysukcOYAcbXhB/pmi72cD7uTtbu7fMNj59u9Q==

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s1.wp.com/wp-content/mu-plugins/akismet-3.0/_inc/form.js?m=1404442431h

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s1.wp.com/wp-content/mu-plugins/highlander-comments/style.css?m=1377793621h

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s1.wp.com/_static/??-eJyFztEKwjAMBdAfsquTiXsRv6XWOFKXtDbphn69HeiDMBQCgdzDJXZOBtmP5QJiQ517gfx4rybIxv4ChnDITqEh5A/2kRVYF0vxjCOYIpDdUG+16BpXXIqiBCIVraTfLyFPCPNfFkCT8zeTQfC5tJ7o2Hb9Yde3+24bXjRNW9I=

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s1.wp.com/_static/??-eJx9j90OwiAMhV9IrEv8mRfGZwHWTJQCWUsW315wUaMzu2na5nw9PTAmZWMQDAKUVfK5d4FhTDaSYnIe7z/T2jKv4D/m3Q0ZrihJ25t6TjO58bH/+MSh0x1D76PRfum0jQOWPSUtVUHYOY0eqciWMEr7F1XbS/lrMcEU1Zg0ILMqlVwmJZditMgVqr4yZYYi/N5MqIMQxRWa383s5mQFKRswWSQGYLl7rLoznZpte9wcdk3bXh8CN6W4

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s1.wp.com/wp-content/mu-plugins/gravatar-hovercards/wpgroho.js?m=1380573781h

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s1.wp.com/wp-includes/js/wp-emoji-release.min.js?m=1496863874h&ver=4.8-RC2-40878

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s1.wp.com/wp-content/mu-plugins/carousel/jetpack-carousel.css?m=1481571546h

    Method

GET

    Parameter

X-Content-Type-Options

Instances

8

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://s2.wp.com/_static/??/wp-content/js/jquery/jquery.autoresize.js,/wp-content/mu-plugins/highlander-comments/script.js?m=1479964158j

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s2.wp.com/_static/??-eJyVkdtOwzAMhl+IzNuEQFwgnsVN3dZpTsRJx96eFFjpYKq0K1u//fkIp6h08Jl8BiPQ0sSa4sfOyAOsQq6oaEvPXsDySALvhQoN6FtLaSNZB+eqpL4hM9MNyIkj3QNdCX/BPJCrabE00JScgwcUofwFepy4x8zB30PJyLH28qPqgi6iOl7uwV7b0l5PlSja887xvx6rlbCtcdVgAoeSKVVPhYlS4rnYom1V0PMac4XFuzWUxN851rqpD0vnH7NbZ916AKZQhCwYyhH1qC7CBhODZNVZ5AQyYGLfX2yF3tzr4fHluN8/HY7P5hOVaOu5

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s2.wp.com/_static/??-eJx9i9EKwjAMRX/IGoVN54P4LVnp2kialCbD3xcfRGTi0z0XzoFHC1HFkzjUNTReM4kBRieVGfuH9tFsB7/1puZhYaQOVrCT5Pf+q0wjIQfWrN9nE3lJNRmUATLrjPwSbvV6HC6H83Qap/H+BMWZScE=

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://s2.wp.com/_static/??-eJx9i9EKwjAMRX/IGoVN54P4LVnp2kialCbD3xcfRGTi0z0XzoFHC1HFkzjUNTReM4kBRieVGfuH9tFsB7/1puZhYaQOVrCT5Pf+q0wjIQfWrN9nE3lJNRmUATLrjPwSbvV6HC6H83Qap/H+BMWZScE=

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://s3.amazonaws.com/BoomerangForGmail/bookmarklet/font/lato-normal.woff2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://s3.amazonaws.com/BoomerangForGmail/bookmarklet/font/lato-bold.woff2

    Method

GET

    Parameter

X-Content-Type-Options

Instances

2

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://s7.addthis.com/js/300/addthis_widget.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-permissions

    Method

POST

    Parameter

NID

    Evidence

Set-Cookie: NID

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://salesforcecom.demdex.net/dest5.html?d_nsid=0

    Method

GET

    Parameter

demdex

    Evidence

Set-Cookie: demdex

Instances

1

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://salesforcecom.demdex.net/dest5.html?d_nsid=0

    Method

GET

    Parameter

demdex

    Evidence

Set-Cookie: demdex

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://salesforcecom.demdex.net/dest5.html?d_nsid=0

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=21600

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://salesforcecom.demdex.net/dest5.html?d_nsid=0

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://salesforcecom.demdex.net/dest5.html?d_nsid=0

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://salesforcecom.tt.omtrdc.net/m2/salesforcecom/mbox/json?screenHeight=1080&screenWidth=1920&colorDepth=24&browserWidth=1350&browserHeight=575&browserTimeOffset=-420&mboxPage=010ae8d62baf48f2a371aad38fa690b7&mboxVersion=0.9.3&mboxHost=www.salesforce.com&mboxURL=https%3A%2F%2Fwww.salesforce.com%2F&mboxReferrer=&mboxSession=59311300b4f94dca88c7b30a76d618ec&mboxPC=4db145f121f4410a978785db2a94c9ef.28_74&mboxTime=1498816639823&pageName=SFDC%3Aus%3Ahomepage&pageType=Home%20Page&profile.orgId=00D610000008Ckw&profile.dbAudience=residential&profile.visitorType=customer&profile.isTrialUser=false&profile.visitNumber=157&profile.newVisit=false&profile.driverType=Typed%2FBookmarked&profile.driverId=Typed%2FBookmarked&mbox=target-global-mbox&mboxCount=1&mboxMCGVID=26143214703270968390094568821291249732&mboxAAMB=NRX38WO0n5BH8Th-nqAG_A&mboxMCAVID=&mboxMCGLH=9&vst.trk=omtr1.partners.salesforce.com&vst.trks=omtr2.partners.salesforce.com&mboxMCSDID=5E7CA7123B5E8B62-5AE55B2E1842C294

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://salesforcecom.tt.omtrdc.net/m2/salesforcecom/mbox/json?screenHeight=1080&screenWidth=1920&colorDepth=24&browserWidth=1350&browserHeight=575&browserTimeOffset=-420&mboxPage=010ae8d62baf48f2a371aad38fa690b7&mboxVersion=0.9.3&mboxHost=www.salesforce.com&mboxURL=https%3A%2F%2Fwww.salesforce.com%2F&mboxReferrer=&mboxSession=59311300b4f94dca88c7b30a76d618ec&mboxPC=4db145f121f4410a978785db2a94c9ef.28_74&mboxTime=1498816639823&pageName=SFDC%3Aus%3Ahomepage&pageType=Home%20Page&profile.orgId=00D610000008Ckw&profile.dbAudience=residential&profile.visitorType=customer&profile.isTrialUser=false&profile.visitNumber=157&profile.newVisit=false&profile.driverType=Typed%2FBookmarked&profile.driverId=Typed%2FBookmarked&mbox=target-global-mbox&mboxCount=1&mboxMCGVID=26143214703270968390094568821291249732&mboxAAMB=NRX38WO0n5BH8Th-nqAG_A&mboxMCAVID=&mboxMCGLH=9&vst.trk=omtr1.partners.salesforce.com&vst.trks=omtr2.partners.salesforce.com&mboxMCSDID=5E7CA7123B5E8B62-5AE55B2E1842C294

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://script.crazyegg.com/pages/scripts/0012/4914.js?416348

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://secure.adnxs.com/seg?add=3984824,4820597,2374712,1679806&add_code=appexchange_salesforce_com,salesforce_com&member=232&redir=https%3A%2F%2Fimp2.ads.linkedin.com%2Fl

    Method

GET

    Parameter

anj

    Evidence

Set-Cookie: anj

URL

https://secure.adnxs.com/px?id=492214&redir=https%3A%2F%2Fsecure.adnxs.com%2Fpx%3Fid%3D495905%26redir%3Dhttps%253A%252F%252Fsecure.adnxs.com%252Fseg%253Fadd%253D4820597%252C2374712%252C1679806%2526add_code%253Dc_salesforce_com%252Csalesforce_com%2526member%253D232%2526redir%253Dhttps%25253A%25252F%25252Fimp2.ads.linkedin.com%25252Fl

    Method

GET

    Parameter

sess

    Evidence

Set-Cookie: sess

URL

https://secure.adnxs.com/seg?add=4820597,2374712,1679806&add_code=c_salesforce_com,salesforce_com&member=232&redir=https%3A%2F%2Fimp2.ads.linkedin.com%2Fl

    Method

GET

    Parameter

uuid2

    Evidence

Set-Cookie: uuid2

URL

https://secure.adnxs.com/px?id=495905&redir=https%3A%2F%2Fsecure.adnxs.com%2Fpx%3Fid%3D492214%26redir%3Dhttps%253A%252F%252Fsecure.adnxs.com%252Fseg%253Fadd%253D4820597%252C2374712%252C1679806%2526add_code%253Dwww_salesforce_com%252Csalesforce_com%2526member%253D232%2526redir%253Dhttps%25253A%25252F%25252Fimp2.ads.linkedin.com%25252Fl

    Method

GET

    Parameter

uuid2

    Evidence

Set-Cookie: uuid2

URL

https://secure.adnxs.com/px?id=495905&redir=https%3A%2F%2Fsecure.adnxs.com%2Fseg%3Fadd%3D4820597%2C2374712%2C1679806%26add_code%3Dc_salesforce_com%2Csalesforce_com%26member%3D232%26redir%3Dhttps%253A%252F%252Fimp2.ads.linkedin.com%252Fl

    Method

GET

    Parameter

sess

    Evidence

Set-Cookie: sess

URL

https://secure.adnxs.com/px?id=495905&redir=https%3A%2F%2Fsecure.adnxs.com%2Fpx%3Fid%3D492214%26redir%3Dhttps%253A%252F%252Fsecure.adnxs.com%252Fseg%253Fadd%253D3984824%252C4820597%252C2374712%252C1679806%2526add_code%253Dappexchange_salesforce_com%252Csalesforce_com%2526member%253D232%2526redir%253Dhttps%25253A%25252F%25252Fimp2.ads.linkedin.com%25252Fl

    Method

GET

    Parameter

sess

    Evidence

Set-Cookie: sess

URL

https://secure.adnxs.com/px?id=495905&redir=https%3A%2F%2Fsecure.adnxs.com%2Fseg%3Fadd%3D4820597%2C2374712%2C1679806%26add_code%3Dc_salesforce_com%2Csalesforce_com%26member%3D232%26redir%3Dhttps%253A%252F%252Fimp2.ads.linkedin.com%252Fl

    Method

GET

    Parameter

anj

    Evidence

Set-Cookie: anj

URL

https://secure.adnxs.com/px?id=492214&redir=https%3A%2F%2Fsecure.adnxs.com%2Fseg%3Fadd%3D3984824%2C2374712%2C4820597%2C1679806%26add_code%3Dappexchange_salesforce_com%2Csalesforce_com%26member%3D232%26redir%3Dhttps%253A%252F%252Fimp2.ads.linkedin.com%252Fl

    Method

GET

    Parameter

uuid2

    Evidence

Set-Cookie: uuid2

URL

https://secure.adnxs.com/px?id=495905&redir=https%3A%2F%2Fsecure.adnxs.com%2Fpx%3Fid%3D492214%26redir%3Dhttps%253A%252F%252Fsecure.adnxs.com%252Fseg%253Fadd%253D3984824%252C4820597%252C2374712%252C1679806%2526add_code%253Dappexchange_salesforce_com%252Csalesforce_com%2526member%253D232%2526redir%253Dhttps%25253A%25252F%25252Fimp2.ads.linkedin.com%25252Fl

    Method

GET

    Parameter

anj

    Evidence

Set-Cookie: anj

URL

https://secure.adnxs.com/px?id=492214&redir=https%3A%2F%2Fsecure.adnxs.com%2Fpx%3Fid%3D495905%26redir%3Dhttps%253A%252F%252Fsecure.adnxs.com%252Fseg%253Fadd%253D4820597%252C2374712%252C1679806%2526add_code%253Dc_salesforce_com%252Csalesforce_com%2526member%253D232%2526redir%253Dhttps%25253A%25252F%25252Fimp2.ads.linkedin.com%25252Fl

    Method

GET

    Parameter

anj

    Evidence

Set-Cookie: anj

URL

https://secure.adnxs.com/px?id=492214&redir=https%3A%2F%2Fsecure.adnxs.com%2Fseg%3Fadd%3D4820597%2C2374712%2C1679806%26add_code%3Dwww_salesforce_com%2Csalesforce_com%26member%3D232%26redir%3Dhttps%253A%252F%252Fimp2.ads.linkedin.com%252Fl

    Method

GET

    Parameter

uuid2

    Evidence

Set-Cookie: uuid2

URL

https://secure.adnxs.com/px?id=495905&redir=https%3A%2F%2Fsecure.adnxs.com%2Fpx%3Fid%3D492214%26redir%3Dhttps%253A%252F%252Fsecure.adnxs.com%252Fseg%253Fadd%253D3984824%252C2374712%252C4820597%252C1679806%2526add_code%253Dappexchange_salesforce_com%252Csalesforce_com%2526member%253D232%2526redir%253Dhttps%25253A%25252F%25252Fimp2.ads.linkedin.com%25252Fl

    Method

GET

    Parameter

uuid2

    Evidence

Set-Cookie: uuid2

URL

https://secure.adnxs.com/seg?add=3984824,2374712,4820597,1679806&add_code=appexchange_salesforce_com,salesforce_com&member=232&redir=https%3A%2F%2Fimp2.ads.linkedin.com%2Fl

    Method

GET

    Parameter

sess

    Evidence

Set-Cookie: sess

URL

https://secure.adnxs.com/px?id=492214&redir=https%3A%2F%2Fsecure.adnxs.com%2Fseg%3Fadd%3D3984824%2C4820597%2C2374712%2C1679806%26add_code%3Dappexchange_salesforce_com%2Csalesforce_com%26member%3D232%26redir%3Dhttps%253A%252F%252Fimp2.ads.linkedin.com%252Fl

    Method

GET

    Parameter

uuid2

    Evidence

Set-Cookie: uuid2

URL

https://secure.adnxs.com/px?id=492214&redir=https%3A%2F%2Fsecure.adnxs.com%2Fseg%3Fadd%3D4820597%2C2374712%2C1679806%26add_code%3Dwww_salesforce_com%2Csalesforce_com%26member%3D232%26redir%3Dhttps%253A%252F%252Fimp2.ads.linkedin.com%252Fl

    Method

GET

    Parameter

sess

    Evidence

Set-Cookie: sess

URL

https://secure.adnxs.com/seg?add=3984824,2374712,4820597,1679806&add_code=appexchange_salesforce_com,salesforce_com&member=232&redir=https%3A%2F%2Fimp2.ads.linkedin.com%2Fl

    Method

GET

    Parameter

anj

    Evidence

Set-Cookie: anj

URL

https://secure.adnxs.com/seg?add=4820597,2374712,1679806&add_code=c_salesforce_com,salesforce_com&member=232&redir=https%3A%2F%2Fimp2.ads.linkedin.com%2Fl

    Method

GET

    Parameter

sess

    Evidence

Set-Cookie: sess

URL

https://secure.adnxs.com/seg?add=3984824,4820597,2374712,1679806&add_code=appexchange_salesforce_com,salesforce_com&member=232&redir=https%3A%2F%2Fimp2.ads.linkedin.com%2Fl

    Method

GET

    Parameter

sess

    Evidence

Set-Cookie: sess

URL

https://secure.adnxs.com/seg?add=4820597,2374712,1679806&add_code=www_salesforce_com,salesforce_com&member=232&redir=https%3A%2F%2Fimp2.ads.linkedin.com%2Fl

    Method

GET

    Parameter

uuid2

    Evidence

Set-Cookie: uuid2

URL

https://secure.adnxs.com/px?id=495905&redir=https%3A%2F%2Fsecure.adnxs.com%2Fpx%3Fid%3D492214%26redir%3Dhttps%253A%252F%252Fsecure.adnxs.com%252Fseg%253Fadd%253D3984824%252C2374712%252C4820597%252C1679806%2526add_code%253Dappexchange_salesforce_com%252Csalesforce_com%2526member%253D232%2526redir%253Dhttps%25253A%25252F%25252Fimp2.ads.linkedin.com%25252Fl

    Method

GET

    Parameter

sess

    Evidence

Set-Cookie: sess

Instances

36

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://secure.sfdcstatic.com/system/shared/common/assets/thirdparty/mouseflow/mouseflow.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://secure.sfdcstatic.com/common/assets/js/min/header-login-min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://secure.sfdcstatic.com/common/assets/css/min/login-messages-new-min.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://secure.sfdcstatic.com/common/assets/js/min/footer-login-min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://secure.sfdcstatic.com/system/shared/common/assets/thirdparty/mcloud/mcloudCfg.min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://secure.sfdcstatic.com/common/assets/js/min/bg-cover-min.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

6

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://secure.sfdcstatic.com/common/assets/css/min/login-messages-new-min.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=3600

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://security.secure.force.com/security/tools/webapp/zaprunningscan

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://security.secure.force.com/security/tools/webapp/zaprunningscan

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=600,s-maxage=0

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://sentry.io/api/34377/store/?sentry_version=7&sentry_client=raven-js%2F3.14.2&sentry_key=4634b963b9c44608ac9fa9b3ffa5cb18

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://servicemanagement.clients6.google.com/v1/services?%24prettyPrint=false&producerProjectId=galileo-map-view-1487967109796&consumerProjectId=galileo-map-view-1487967109796&expand=projectSettings&key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://servicemanagement.clients6.google.com/v1/services?%24prettyPrint=false&category=servicemanagement.googleapis.com%2Fcategories%2Fgoogle-services&key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://servicemanagement.clients6.google.com/v1/services/geocoding_backend?alt=json&key=AIzaSyD-nhJADgF50b3VFd0BVfOPZqrEpuJQHxQ

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://servicemanagement.clients6.google.com/v1/services/geocoding_backend?expand=serviceConfig&expand=projectSettings&view=CONSUMER_VIEW&%24outputDefaults=true&consumerProjectId=galileo-map-view-1487967109796&key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://servicemanagement.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=3600

URL

https://servicemanagement.clients6.google.com/v1/services:activate?alt=json&key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g

    Method

POST

    Parameter

Cache-Control

    Evidence

private

URL

https://servicemanagement.clients6.google.com/v1/operations/projectSettings.2018bab3-2972-4d06-84d6-72b29aec0914?key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://servicemanagement.clients6.google.com/v1/services/geocoding-backend.googleapis.com?expand=serviceConfig&expand=projectSettings&view=CONSUMER_VIEW&%24outputDefaults=true&consumerProjectId=galileo-map-view-1487967109796&key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g

    Method

GET

    Parameter

Cache-Control

    Evidence

private

Instances

8

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://servicemanagement.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

https://apis.google.com/js/googleapis.proxy.js?onload=startup

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/googleapis.proxy.js?onload=startup" async defer></script>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://social.msdn.microsoft.com/Forums/en-US/rightrailannouncement/Msdn/1794d07f-9d4e-4dc0-8c1c-8bfe9d5e0bce?rnd=0.45446116560947414

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://social.msdn.microsoft.com/Forums/en-US/rightrailannouncement/Msdn/1794d07f-9d4e-4dc0-8c1c-8bfe9d5e0bce?rnd=0.8023461152124363

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/search/RelatedThreadsByThread?searchTerm=Implict%20converion%20from%20DATIME%20to%20SMALLDATETIME%20&threadId=fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa&allLanguages=False

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://social.msdn.microsoft.com/Forums/en-US/rightrailannouncement/Msdn/1794d07f-9d4e-4dc0-8c1c-8bfe9d5e0bce?rnd=0.9554072225179244

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

X-Content-Type-Options

Instances

5

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

https://i1.social.s-msft.com/Forums/RequestReduceContent/0a2f6dbf06b9f0a53d16b1e5d0f929ac-dff89e51e56a79ed646ef2b26dec6b95-RequestReducedScript.js

    Evidence

<script src="https://i1.social.s-msft.com/Forums/RequestReduceContent/0a2f6dbf06b9f0a53d16b1e5d0f929ac-dff89e51e56a79ed646ef2b26dec6b95-RequestReducedScript.js" type="text/javascript" ></script>

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

https://i1.social.s-msft.com/Forums/RequestReduceContent/fbeddfde7c678cd5341121e0ee23c711-764641120452f582c83dce86b5200c2e-RequestReducedScript.js

    Evidence

<script src="https://i1.social.s-msft.com/Forums/RequestReduceContent/fbeddfde7c678cd5341121e0ee23c711-764641120452f582c83dce86b5200c2e-RequestReducedScript.js" type="text/javascript" ></script>

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

https://ajax.aspnetcdn.com/ajax/jquery/jquery-1.11.0.min.js

    Evidence

<script src="https://ajax.aspnetcdn.com/ajax/jquery/jquery-1.11.0.min.js" type="text/javascript" language="javascript"></script>

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

https://i1.social.s-msft.com/Forums/resources/scripts/messages.js?cver=0%0d%0a

    Evidence

<script src="https://i1.social.s-msft.com/Forums/resources/scripts/messages.js?cver=0%0d%0a" type="text/javascript" language="javascript"></script>

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

https://i1.social.s-msft.com/Forums/RequestReduceContent/81d2b4286e0d3e86fbf7f2e3a2468529-c769c4ecaf33d04f3dea6af4337b9847-RequestReducedScript.js

    Evidence

<script src="https://i1.social.s-msft.com/Forums/RequestReduceContent/81d2b4286e0d3e86fbf7f2e3a2468529-c769c4ecaf33d04f3dea6af4337b9847-RequestReducedScript.js" type="text/javascript" ></script>

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

https://ajax.aspnetcdn.com/ajax/jquery.ui/1.10.4/jquery-ui.js

    Evidence

<script type="text/javascript" src="https://ajax.aspnetcdn.com/ajax/jquery.ui/1.10.4/jquery-ui.js"></script>

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

https://i1.social.s-msft.com/Forums/resources/scripts/jquery-impromptu.3.1.min.js?cver=0%0d%0a

    Evidence

<script type="text/javascript" src="https://i1.social.s-msft.com/Forums/resources/scripts/jquery-impromptu.3.1.min.js?cver=0%0d%0a"></script>

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

https://i1.social.s-msft.com/Forums/resources/scripts/core.js?cver=0%0d%0a

    Evidence

<script src="https://i1.social.s-msft.com/Forums/resources/scripts/core.js?cver=0%0d%0a" type="text/javascript" language="javascript"></script>

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

https://i1.social.s-msft.com/Forums/RequestReduceContent/3c5c66dae383e989c2436e51e0b95498-df4d2dc89d69a0cd231342274ee34c28-RequestReducedScript.js

    Evidence

<script src="https://i1.social.s-msft.com/Forums/RequestReduceContent/3c5c66dae383e989c2436e51e0b95498-df4d2dc89d69a0cd231342274ee34c28-RequestReducedScript.js" type="text/javascript" ></script>

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

https://ajax.aspnetcdn.com/ajax/jquery.migrate/jquery-migrate-1.2.1.min.js

    Evidence

<script src="https://ajax.aspnetcdn.com/ajax/jquery.migrate/jquery-migrate-1.2.1.min.js" type="text/javascript" language="javascript"></script>

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

https://i1.social.s-msft.com/Forums/RequestReduceContent/198faff60a83dd768cacdf60118b0b19-6584225de39c1527dd5dd7bce11792ab-RequestReducedScript.js

    Evidence

<script src="https://i1.social.s-msft.com/Forums/RequestReduceContent/198faff60a83dd768cacdf60118b0b19-6584225de39c1527dd5dd7bce11792ab-RequestReducedScript.js" type="text/javascript" ></script>

Instances

11

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/search/RelatedThreadsByThread?searchTerm=Implict%20converion%20from%20DATIME%20to%20SMALLDATETIME%20&threadId=fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa&allLanguages=False

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, no-cache, no-store

URL

https://social.msdn.microsoft.com/Forums/en-US/rightrailannouncement/Msdn/1794d07f-9d4e-4dc0-8c1c-8bfe9d5e0bce?rnd=0.8023461152124363

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, no-cache, no-store

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, no-cache, no-store

URL

https://social.msdn.microsoft.com/Forums/en-US/rightrailannouncement/Msdn/1794d07f-9d4e-4dc0-8c1c-8bfe9d5e0bce?rnd=0.9554072225179244

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, no-cache, no-store

URL

https://social.msdn.microsoft.com/Forums/en-US/rightrailannouncement/Msdn/1794d07f-9d4e-4dc0-8c1c-8bfe9d5e0bce?rnd=0.45446116560947414

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, no-cache, no-store

Instances

5

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Secure Pages Include Mixed Content

Description

The page includes mixed content, that is content accessed via HTTP instead of HTTPS.

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Evidence

http://m.webtrends.com/dcsour5e80000008ybade4ttg_1i1l/njs.gif?dcsuri=/nojavascript&WT.js=No

Instances

1

Solution

A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.

The page must not contain any content that is transmitted over unencrypted HTTP.

This includes content from third party sites.

Other information

tag=img src=http://m.webtrends.com/dcsour5e80000008ybade4ttg_1i1l/njs.gif?dcsuri=/nojavascript&WT.js=No

Reference

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

CWE Id

311

WASC Id

4

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

.ASPXANONYMOUS

    Evidence

Set-Cookie: .ASPXANONYMOUS

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

__RequestVerificationToken_L0ZvcnVtcw2

    Evidence

Set-Cookie: __RequestVerificationToken_L0ZvcnVtcw2

Instances

2

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://social.msdn.microsoft.com/Forums/en-US/rightrailannouncement/Msdn/1794d07f-9d4e-4dc0-8c1c-8bfe9d5e0bce?rnd=0.45446116560947414

    Method

GET

    Parameter

X-XSS-Protection

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/search/RelatedThreadsByThread?searchTerm=Implict%20converion%20from%20DATIME%20to%20SMALLDATETIME%20&threadId=fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa&allLanguages=False

    Method

GET

    Parameter

X-XSS-Protection

URL

https://social.msdn.microsoft.com/Forums/en-US/rightrailannouncement/Msdn/1794d07f-9d4e-4dc0-8c1c-8bfe9d5e0bce?rnd=0.8023461152124363

    Method

GET

    Parameter

X-XSS-Protection

URL

https://social.msdn.microsoft.com/Forums/en-US/rightrailannouncement/Msdn/1794d07f-9d4e-4dc0-8c1c-8bfe9d5e0bce?rnd=0.9554072225179244

    Method

GET

    Parameter

X-XSS-Protection

URL

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc7008b5-6ad1-4f55-a7e0-979ca69d6ffa/implict-converion-from-datime-to-smalldatetime?forum=transactsql

    Method

GET

    Parameter

X-XSS-Protection

Instances

5

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://sound.peal.io/ps/audios/000/000/568/original/It's_gazorpazorpfield.wav?1469744416

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/547/original/Oooo_yeah__caaan_doo!.wav?1469744219

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/550/original/get_schwifty_in_here.wav?1469744423

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/707/original/Good_Job!.wav?1469744191

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/532/original/whatever.wav?1469743960

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/563/original/I'm_ants_in_my_eye_johnson.wav?1469744200

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/544/original/AIDS!.wav?1469743965

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/537/original/woo_vu_luvub_dub_dub.wav?1469744420

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/533/original/Riggity.wav?1469744359

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/536/original/Awww_Bitch.wav?1469744431

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/552/original/butthole.wav?1469744432

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/551/original/my_man.wav?1469744453

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/553/original/oh_man.wav?1469744452

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://sound.peal.io/ps/audios/000/000/848/original/rick.wav?1469743991

    Method

GET

    Parameter

X-Content-Type-Options

Instances

14

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://ssl.gstatic.com/chrome/components/doodle-notifier-02.html

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=86400

URL

https://ssl.gstatic.com/support/realtime/operatorParams

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=300

URL

https://ssl.gstatic.com/chrome/components/doodle-notifier-01.html

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=86400

URL

https://ssl.gstatic.com/_/commonsharing/_/ss/k=commonsharing.share.-pjj3xveq5oog.L.W.O/d=0/rs=AIt5m0Uv1jKtBcErptFjMg5UY3U9vxsYGg

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=31536000

Instances

4

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://stackoverflow.com/questions/5591473/error-string-or-binary-data-would-be-truncated-when-trying-to-insert

    Method

GET

    Parameter

X-XSS-Protection

URL

https://stackoverflow.com/questions/5622158/sql-server-date-vs-smalldatetime

    Method

GET

    Parameter

X-XSS-Protection

URL

https://stackoverflow.com/questions/12099059/how-to-convert-varchar-to-datetime-in-t-sql

    Method

GET

    Parameter

X-XSS-Protection

URL

https://stackoverflow.com/questions/1135746/sql-server-convert-string-to-datetime

    Method

GET

    Parameter

X-XSS-Protection

Instances

4

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://stackoverflow.com/questions/5591473/error-string-or-binary-data-would-be-truncated-when-trying-to-insert

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://stackoverflow.com/questions/1135746/sql-server-convert-string-to-datetime

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://stackoverflow.com/questions/5622158/sql-server-date-vs-smalldatetime

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://stackoverflow.com/questions/12099059/how-to-convert-varchar-to-datetime-in-t-sql

    Method

GET

    Parameter

Cache-Control

    Evidence

private

Instances

4

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://stackoverflow.com/questions/5591473/error-string-or-binary-data-would-be-truncated-when-trying-to-insert

    Method

GET

    Parameter

https://cdn.sstatic.net/Js/stub.en.js?v=4a0d73eae37e

    Evidence

<script src="https://cdn.sstatic.net/Js/stub.en.js?v=4a0d73eae37e"></script>

URL

https://stackoverflow.com/questions/5591473/error-string-or-binary-data-would-be-truncated-when-trying-to-insert

    Method

GET

    Parameter

https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js

    Evidence

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>

URL

https://stackoverflow.com/questions/12099059/how-to-convert-varchar-to-datetime-in-t-sql

    Method

GET

    Parameter

https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js

    Evidence

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>

URL

https://stackoverflow.com/questions/5622158/sql-server-date-vs-smalldatetime

    Method

GET

    Parameter

https://cdn.sstatic.net/Js/stub.en.js?v=4a0d73eae37e

    Evidence

<script src="https://cdn.sstatic.net/Js/stub.en.js?v=4a0d73eae37e"></script>

URL

https://stackoverflow.com/questions/12099059/how-to-convert-varchar-to-datetime-in-t-sql

    Method

GET

    Parameter

https://cdn.sstatic.net/Js/stub.en.js?v=4a0d73eae37e

    Evidence

<script src="https://cdn.sstatic.net/Js/stub.en.js?v=4a0d73eae37e"></script>

URL

https://stackoverflow.com/questions/5622158/sql-server-date-vs-smalldatetime

    Method

GET

    Parameter

https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js

    Evidence

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>

URL

https://stackoverflow.com/questions/1135746/sql-server-convert-string-to-datetime

    Method

GET

    Parameter

https://cdn.sstatic.net/Js/stub.en.js?v=4a0d73eae37e

    Evidence

<script src="https://cdn.sstatic.net/Js/stub.en.js?v=4a0d73eae37e"></script>

URL

https://stackoverflow.com/questions/1135746/sql-server-convert-string-to-datetime

    Method

GET

    Parameter

https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js

    Evidence

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>

Instances

8

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://stackoverflow.com/questions/1135746/sql-server-convert-string-to-datetime

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://stackoverflow.com/questions/5622158/sql-server-date-vs-smalldatetime

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://stackoverflow.com/questions/12099059/how-to-convert-varchar-to-datetime-in-t-sql

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://stackoverflow.com/questions/5591473/error-string-or-binary-data-would-be-truncated-when-trying-to-insert

    Method

GET

    Parameter

X-Content-Type-Options

Instances

4

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://static.addtoany.com/menu/sm.16.html

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=315360000

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://static.addtoany.com/menu/sm.16.html

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://static.criteo.net/js/ld/publishertag.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://static.eu.criteo.net/empty.html

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://static.eu.criteo.net/empty.html

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://static.eu.criteo.net/empty.html

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31104000, public

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yG/l/0,cross/6ensFUBzgTX.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/uqhJLZ6mZpw.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yx/l/0,cross/vvSNPluvZ2_.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yK/l/0,cross/lWx3uz2p46L.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/y4/l/0,cross/LIdk0Mq5oY-.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yj/l/0,cross/OLgs07KHrwp.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yy/l/0,cross/hGOYjYF57vL.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yg/l/0,cross/_DAK8p1Ploy.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yG/l/0,cross/9ITBJjyy8Dq.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/Pt8O4LTQq_s.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/RwIWbNS4kmI.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yO/l/0,cross/FmEVnEnKI7U.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yq/l/0,cross/jSfvZMIA_Bb.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/y4/l/0,cross/Y_7k2_TkzlV.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0,cross/durkC4t7suN.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yL/l/0,cross/HW18jYE2i7z.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yn/l/0,cross/BevbehXJ3Kq.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/y-/l/0,cross/morDfKgdZy9.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/ys/l/0,cross/5j6ofC_JrjC.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

URL

https://static.xx.fbcdn.net/rsrc.php/v3/yG/l/0,cross/rnskokit7Hp.css

    Method

GET

    Parameter

Cache-Control

    Evidence

public,max-age=31536000,immutable

Instances

35

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://stats.wp.com/w.js?56

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://su.itunes.apple.com/WebObjects/MZSoftwareUpdate.woa/wa/availableSoftwareUpdatesExtended

    Method

POST

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://swscan.apple.com/content/catalogs/others/index-noticeboard-10.10-noticeboard-10.9-noticeboard.merged-1.sucatalog

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

https://s1.wp.com/_static/??-eJyFztEKwjAMBdAfsquTiXsRv6XWOFKXtDbphn69HeiDMBQCgdzDJXZOBtmP5QJiQ517gfx4rybIxv4ChnDITqEh5A/2kRVYF0vxjCOYIpDdUG+16BpXXIqiBCIVraTfLyFPCPNfFkCT8zeTQfC5tJ7o2Hb9Yde3+24bXjRNW9I=

    Evidence

<script type='text/javascript' src='https://s1.wp.com/_static/??-eJyFztEKwjAMBdAfsquTiXsRv6XWOFKXtDbphn69HeiDMBQCgdzDJXZOBtmP5QJiQ517gfx4rybIxv4ChnDITqEh5A/2kRVYF0vxjCOYIpDdUG+16BpXXIqiBCIVraTfLyFPCPNfFkCT8zeTQfC5tJ7o2Hb9Yde3+24bXjRNW9I='></script>

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

https://s1.wp.com/wp-content/mu-plugins/akismet-3.0/_inc/form.js?m=1404442431h

    Evidence

<script type='text/javascript' src='https://s1.wp.com/wp-content/mu-plugins/akismet-3.0/_inc/form.js?m=1404442431h'></script>

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

https://s2.wp.com/_static/??-eJyVkdtOwzAMhl+IzNuEQFwgnsVN3dZpTsRJx96eFFjpYKq0K1u//fkIp6h08Jl8BiPQ0sSa4sfOyAOsQq6oaEvPXsDySALvhQoN6FtLaSNZB+eqpL4hM9MNyIkj3QNdCX/BPJCrabE00JScgwcUofwFepy4x8zB30PJyLH28qPqgi6iOl7uwV7b0l5PlSja887xvx6rlbCtcdVgAoeSKVVPhYlS4rnYom1V0PMac4XFuzWUxN851rqpD0vnH7NbZ916AKZQhCwYyhH1qC7CBhODZNVZ5AQyYGLfX2yF3tzr4fHluN8/HY7P5hOVaOu5

    Evidence

<script type='text/javascript' src='https://s2.wp.com/_static/??-eJyVkdtOwzAMhl+IzNuEQFwgnsVN3dZpTsRJx96eFFjpYKq0K1u//fkIp6h08Jl8BiPQ0sSa4sfOyAOsQq6oaEvPXsDySALvhQoN6FtLaSNZB+eqpL4hM9MNyIkj3QNdCX/BPJCrabE00JScgwcUofwFepy4x8zB30PJyLH28qPqgi6iOl7uwV7b0l5PlSja887xvx6rlbCtcdVgAoeSKVVPhYlS4rnYom1V0PMac4XFuzWUxN851rqpD0vnH7NbZ916AKZQhCwYyhH1qC7CBhODZNVZ5AQyYGLfX2yF3tzr4fHluN8/HY7P5hOVaOu5'></script>

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

https://static.criteo.net/js/ld/publishertag.js

    Evidence

<script type="text/javascript" src="https://static.criteo.net/js/ld/publishertag.js"></script>

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

//stats.wp.com/w.js?56

    Evidence

<script src="//stats.wp.com/w.js?56" type="text/javascript" async defer></script>

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

//0.gravatar.com/js/gprofiles.js?ver=201726y

    Evidence

<script type='text/javascript' src='//0.gravatar.com/js/gprofiles.js?ver=201726y'></script>

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

//s.pubmine.com/head.js

    Evidence

<script type="text/javascript" src="//s.pubmine.com/head.js"></script>

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

https://s1.wp.com/wp-content/mu-plugins/gravatar-hovercards/wpgroho.js?m=1380573781h

    Evidence

<script type='text/javascript' src='https://s1.wp.com/wp-content/mu-plugins/gravatar-hovercards/wpgroho.js?m=1380573781h'></script>

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

https://s2.wp.com/_static/??/wp-content/js/jquery/jquery.autoresize.js,/wp-content/mu-plugins/highlander-comments/script.js?m=1479964158j

    Evidence

<script type='text/javascript' src='https://s2.wp.com/_static/??/wp-content/js/jquery/jquery.autoresize.js,/wp-content/mu-plugins/highlander-comments/script.js?m=1479964158j'></script>

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

https://s0.wp.com/_static/??-eJzTLy/QTc7PK0nNK9EvyClNz8wr1i+uzCtJrMjITM/IAeKS1CJMEWP94uSizIISoOIM5/yiVL2sYh19yo1yKiotzvBKLEsEmmefa2toYmRkbGJkaGySBQDQrj/5

    Evidence

<script type='text/javascript' src='https://s0.wp.com/_static/??-eJzTLy/QTc7PK0nNK9EvyClNz8wr1i+uzCtJrMjITM/IAeKS1CJMEWP94uSizIISoOIM5/yiVL2sYh19yo1yKiotzvBKLEsEmmefa2toYmRkbGJkaGySBQDQrj/5'></script>

Instances

10

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://teamforcesite.wordpress.com/2016/07/21/integration-of-salesforce-with-shopify-application/

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=300, must-revalidate

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://tos-pa.clients6.google.com/v1/user/0/required?tos_ids=pantheon&tos_ids=cloud&tos_ids=maps&alt=json&key=AIzaSyD-nhJADgF50b3VFd0BVfOPZqrEpuJQHxQ

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://tos-pa.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=3600

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://tos-pa.clients6.google.com/static/proxy.html?jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en.KP3DNSDF_28.O%2Fm%3D__features__%2Fam%3DEQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOmkDVt5jhMRwoBhmLeN72h7hjIXw

    Method

GET

    Parameter

https://apis.google.com/js/googleapis.proxy.js?onload=startup

    Evidence

<script type="text/javascript" src="https://apis.google.com/js/googleapis.proxy.js?onload=startup" async defer></script>

Instances

1

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://tracker-api.toptal.com/projects/70376/activities

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/users/me?access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America%2FLos_Angeles

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/activities/4047346/proofs

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/activities/4047892/proofs

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/activities/4048660/proofs

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/reports/activities?project_ids%5B%5D=34834&worker_ids=all&start_date=2017-06-01&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/reports/filters?&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/projects?access_token=RVJoU1hJbDFoMXdOVDhqcGF1dExaUzV0YkdlaFk4WkZtV21CUDJ6NVpwMnpUZWc0eXY1Nlo3eC9aWlNCcHBYOS0tVHNPcWpvVEVTVTk4UzBtOFlkcTBEdz09--2097cee1a357538c8d59cb48bf4460eb996bb6ee

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/reports/chart?project_ids%5B%5D=21029&worker_ids=all&start_date=2017-06-01&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/reports/activities?project_ids%5B%5D=34834&project_ids%5B%5D=21029&worker_ids=all&start_date=2017-06-01&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/users/me/storages/tracker_web?access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America%2FLos_Angeles

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/reports/filters?selected_project_ids%5B%5D=29776&selected_project_ids%5B%5D=69245&selected_project_ids%5B%5D=72968&selected_project_ids%5B%5D=70376&selected_project_ids%5B%5D=21029&selected_project_ids%5B%5D=21031&selected_project_ids%5B%5D=39502&selected_project_ids%5B%5D=21028&selected_project_ids%5B%5D=34834&selected_project_ids%5B%5D=64611&selected_project_ids%5B%5D=22648&selected_project_ids%5B%5D=21030&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/reports/chart?project_ids%5B%5D=34834&project_ids%5B%5D=21029&worker_ids=all&start_date=2017-06-01&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/activities/4049221/proofs

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/reports/chart?project_ids%5B%5D=29776&project_ids%5B%5D=69245&project_ids%5B%5D=72968&project_ids%5B%5D=70376&project_ids%5B%5D=21029&project_ids%5B%5D=21031&project_ids%5B%5D=39502&project_ids%5B%5D=21028&project_ids%5B%5D=34834&project_ids%5B%5D=64611&project_ids%5B%5D=22648&project_ids%5B%5D=21030&worker_ids=all&start_date=2017-06-24&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/reports/filters?selected_project_ids%5B%5D=29776&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/activities/4049438/proofs

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/reports/activities?project_ids%5B%5D=21029&worker_ids=all&start_date=2017-06-01&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/reports/filters?selected_project_ids%5B%5D=34834&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

URL

https://tracker-api.toptal.com/activities/4048879/proofs

    Method

POST

    Parameter

Cache-Control

    Evidence

max-age=0, private, must-revalidate

Instances

42

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://tracker-api.toptal.com/users/status?user_ids%5B%5D=10843&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/reports/chart?project_ids%5B%5D=29776&project_ids%5B%5D=69245&project_ids%5B%5D=72968&project_ids%5B%5D=70376&project_ids%5B%5D=21029&project_ids%5B%5D=21031&project_ids%5B%5D=39502&project_ids%5B%5D=21028&project_ids%5B%5D=34834&project_ids%5B%5D=64611&project_ids%5B%5D=22648&project_ids%5B%5D=21030&worker_ids=all&start_date=2017-06-24&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/reports/filters?selected_project_ids%5B%5D=29776&selected_project_ids%5B%5D=69245&selected_project_ids%5B%5D=72968&selected_project_ids%5B%5D=70376&selected_project_ids%5B%5D=21029&selected_project_ids%5B%5D=21031&selected_project_ids%5B%5D=39502&selected_project_ids%5B%5D=21028&selected_project_ids%5B%5D=34834&selected_project_ids%5B%5D=64611&selected_project_ids%5B%5D=22648&selected_project_ids%5B%5D=21030&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/reports/activities?project_ids%5B%5D=34834&worker_ids=all&start_date=2017-06-01&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/reports/chart?project_ids%5B%5D=34834&worker_ids=all&start_date=2017-06-01&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/activities/4048660/proofs

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/users/me?access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America%2FLos_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/reports/filters?selected_project_ids%5B%5D=29776&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/activities/4047892/proofs

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/activities/4047346/proofs

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/activities/4046802/proofs

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/reports/chart?project_ids%5B%5D=34834&project_ids%5B%5D=21029&worker_ids=all&start_date=2017-06-01&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/reports/timetable?project_ids%5B%5D=29776&worker_ids=all&start_date=2017-06-24&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/reports/activities?project_ids%5B%5D=21029&worker_ids=all&start_date=2017-06-01&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/activities/4049438/proofs

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/reports/filters?&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/reports/filters?selected_project_ids%5B%5D=34834&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/reports/activities?project_ids%5B%5D=34834&worker_ids=all&start_date=2017-06-24&end_date=2017-06-30&access_token=cWF0Zkl0cVE4NXA0S3lmbzJsa0NyY0d3T3h0bWJjN2drVjdCU28zRmJWRUNMSkZsT1RwZnBydHg5dmcyM1B5My0tbWNnZ3Z1eWRCaHE3YXRCR1Vka3VvUT09--28def0f614077d786cad70de06e35d2fdf872e26&time_zone=America/Los_Angeles

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/activities/4049221/proofs

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://tracker-api.toptal.com/activities/4049101/proofs

    Method

POST

    Parameter

X-Content-Type-Options

Instances

43

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://tracker.toptal.com/tracker/assets/js/3-bc0a2af0df8243827bb6.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/tracker/assets/js/public-828da26edcbb9e2ed719.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/tracker/assets/fa390ebca04dbcdd9194232c899d0d16.woff2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/tracker/assets/js/5-fcc79d101ba625bcbaba.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/tracker/assets/css/app-224fa29504a72f24c9dd.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/tracker/assets/0f7d01e64b978345ee736147216b0102.woff2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/signin

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/tracker/assets/js/2-cfce977db596e30244ea.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/tracker/assets/css/public-828da26edcbb9e2ed719.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/?email=hdspeedfreak%40gmail.com&password=fxdl97&remember_me=on

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/tracker/assets/js/app-224fa29504a72f24c9dd.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/tracker/assets/84d7d6494e5cac5dcfdc294fe198ac50.woff2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/tracker/assets/d60396454cec2a1460bcf14ee4aa5991.woff

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/app/reports

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://tracker.toptal.com/tracker/assets/440f1ffab8e5cd91d50f61d56386f66a.woff2

    Method

GET

    Parameter

X-Content-Type-Options

Instances

15

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://tracker.toptal.com/?email=hdspeedfreak%40gmail.com&password=fxdl97&remember_me=on

    Method

GET

    Parameter

X-XSS-Protection

URL

https://tracker.toptal.com/app/reports

    Method

GET

    Parameter

X-XSS-Protection

URL

https://tracker.toptal.com/signin

    Method

GET

    Parameter

X-XSS-Protection

Instances

3

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://tracker.toptal.com/?email=hdspeedfreak%40gmail.com&password=fxdl97&remember_me=on

    Method

GET

    Parameter

https://cdn.ravenjs.com/3.14.2/raven.min.js

    Evidence

<script src='https://cdn.ravenjs.com/3.14.2/raven.min.js'></script>

URL

https://tracker.toptal.com/app/reports

    Method

GET

    Parameter

https://cdn.ravenjs.com/3.14.2/raven.min.js

    Evidence

<script src='https://cdn.ravenjs.com/3.14.2/raven.min.js'></script>

URL

https://tracker.toptal.com/signin

    Method

GET

    Parameter

https://cdn.ravenjs.com/3.14.2/raven.min.js

    Evidence

<script src='https://cdn.ravenjs.com/3.14.2/raven.min.js'></script>

Instances

3

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://tracker.toptal.com/?email=hdspeedfreak%40gmail.com&password=fxdl97&remember_me=on

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://tracker.toptal.com/app/reports

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://tracker.toptal.com/tracker/assets/css/app-224fa29504a72f24c9dd.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public

URL

https://tracker.toptal.com/signin

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://tracker.toptal.com/tracker/assets/css/public-828da26edcbb9e2ed719.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=315360000, public

Instances

5

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://trello.com/login/sso?returnUrl=%2Fpower-ups

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/signup?returnUrl=%2Fteams

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/login?returnUrl=/recommend

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/contact?context=load-failure&source=from%20in%20app%20footer

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/login/sso?returnUrl=%2Fcontact%3Fcontext%3Dload-failure

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/signup?returnUrl=%2Famendment-to-trello-terms-of-service-applicable-to-government-users

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/cfe32e63c0dc7dced3300c77cdea9f48/underscore.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/cfe32e63c0dc7dced3300c77cdea9f48/underscore.min.js"></script>

URL

https://trello.com/recommend

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/login?returnUrl=/teams/marketing

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/jobs/contact?gh_jid=267969

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/login?returnUrl=%2Fguide%2Fgetting-started

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/login?returnUrl=%2Flegal%2Fdmca

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/login?returnUrl=/select-team-to-upgrade

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/contact?context=load-failure&source=from%20in%20app%20footer

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/debe37462027c4721a4c742029986b0c/bluebird.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/debe37462027c4721a4c742029986b0c/bluebird.min.js"></script>

URL

https://trello.com/signup?returnUrl=%2Fwebinars

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/login?returnUrl=/forgot

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/login?returnUrl=/privacy

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/guide/enterprise/teamadmin.html

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/home

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/6b09278d062086ad80c1c949f464a6f1/template.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/6b09278d062086ad80c1c949f464a6f1/template.js"></script>

URL

https://trello.com/signup?returnUrl=%2Frecommend

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/p/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

URL

https://trello.com/teams/product

    Method

GET

    Parameter

https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js

    Evidence

<script src="https://d2k1ftgv7pobq7.cloudfront.net/meta/u/res/js/67806f9ff1ce059372fafdc52c3073c2/jquery.min.js"></script>

Instances

308

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://trello.com/c/xesyKtR2/73-expose-sync-query-option-to-segment-builder-page

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/guide/team-administration.html

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/guide/collaborate.html

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/b/uGtv1gr7/recruiting-pipeline

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/c/Xc3nkObK

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/c/VY0k0e5E/19-clean-up-js-files-set-up-bower-properly-to-pull-on-deploy

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/c/o4Rcp8O5/53-add-modal-boxes-with-custom-timeouts-for-user-alerts

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/c/gnCCQznC/43-hide-go-to-page-if-no-preview-results-in-no-matching-records

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/c/SVaqVSRr

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/c/C4UEutLu/4-review-branching-strategy

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/%3C%25-%20avatarUrl%20%25%3E

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/c/SxtloHuD

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/c/kvq2SYQT

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/c/fIbU3hsX

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/c/c7jJwgGk

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/c/NkwSf1eg

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/c/s3ymUzyH/2-beware-of-flask-012-itll-break-webassets

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/login/sso?returnUrl=%2Fteams

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/login?returnUrl=/logged-out

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

URL

https://trello.com/login?returnUrl=%2Fteams%2Fsales

    Method

GET

    Parameter

Cache-Control

    Evidence

no-store, no-cache

Instances

483

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Password Autocomplete in Browser

Description

The AUTOCOMPLETE attribute is not disabled on an HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.

URL

https://trello.com/login?returnUrl=%2Fhome

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=/legal

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=/teams/marketing

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=/forgot

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=%2Fintegrations

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=/teams/support

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=%2Fjobs

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=%2Fguide

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=%2Fjobs%2Fcontact%3Fgh_jid%3D267969

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=%2Fpower-ups

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=%2Fguide%2Fgetting-started

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=/associate/

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=%2Fforgot%3Femail%3Dfoo-bar%2540example.com

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=%2Ftaco-game

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=/guide

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=/contact

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=%2Flegal

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=%2Fteams%2Fmarketing

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=/teams/product

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

URL

https://trello.com/login?returnUrl=/forgot?email=foo-bar%40example.com

    Method

GET

    Parameter

password

    Evidence

<input type="password" name="password" id="password" tabindex=2 placeholder="e.g., ••••••••••••">

Instances

84

Solution

Turn off the AUTOCOMPLETE attribute in forms or individual input elements containing password inputs by using AUTOCOMPLETE='OFF'.

Reference

http://www.w3schools.com/tags/att_input_autocomplete.asp

https://msdn.microsoft.com/en-us/library/ms533486%28v=vs.85%29.aspx

CWE Id

525

WASC Id

15

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://trello.com/

    Method

GET

    Parameter

lang

    Evidence

Set-Cookie: lang

URL

https://trello.com/osd.xml

    Method

GET

    Parameter

dsc

    Evidence

Set-Cookie: dsc

URL

https://trello.com/1/authorization/session

    Method

POST

    Parameter

token

    Evidence

Set-Cookie: token

URL

https://trello.com/logout

    Method

POST

    Parameter

referrer

    Evidence

Set-Cookie: referrer

URL

https://trello.com/1/authorization/session

    Method

POST

    Parameter

hasAccount

    Evidence

Set-Cookie: hasAccount

URL

https://trello.com/logout

    Method

POST

    Parameter

token

    Evidence

Set-Cookie: token

URL

https://trello.com/robots.txt

    Method

GET

    Parameter

dsc

    Evidence

Set-Cookie: dsc

URL

https://trello.com/

    Method

GET

    Parameter

mab

    Evidence

Set-Cookie: mab

URL

https://trello.com/

    Method

GET

    Parameter

dsc

    Evidence

Set-Cookie: dsc

Instances

9

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://trello.com/

    Method

GET

    Parameter

mab

    Evidence

Set-Cookie: mab

URL

https://trello.com/logout

    Method

POST

    Parameter

referrer

    Evidence

Set-Cookie: referrer

URL

https://trello.com/

    Method

GET

    Parameter

lang

    Evidence

Set-Cookie: lang

URL

https://trello.com/1/authorization/session

    Method

POST

    Parameter

hasAccount

    Evidence

Set-Cookie: hasAccount

Instances

4

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://us-west-2.dc.ads.linkedin.com/collect/?pid=543&fmt=gif&ck=

    Method

GET

    Parameter

BizoCustomSegments

    Evidence

Set-Cookie: BizoCustomSegments

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://us-west-2.dc.ads.linkedin.com/collect/?pid=543&fmt=gif&ck=

    Method

GET

    Parameter

BizoData

    Evidence

Set-Cookie: BizoData

URL

https://us-west-2.dc.ads.linkedin.com/collect/?pid=543&fmt=gif&ck=

    Method

GET

    Parameter

BizoID

    Evidence

Set-Cookie: BizoID

Instances

2

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://use.typekit.net/af/e6ebb0/0000000000000000000132a8/27/l?subset_id=1&fvd=n3&v=3

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://use.typekit.net/af/71f8bf/0000000000000000000132ad/27/l?subset_id=1&fvd=n7&v=3

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://use.typekit.net/af/bc18af/0000000000000000000132ae/27/l?subset_id=1&fvd=i7&v=3

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://use.typekit.net/dpl7tbg.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://use.typekit.net/af/45b9e4/0000000000000000000132a9/27/l?subset_id=1&fvd=i3&v=3

    Method

GET

    Parameter

X-Content-Type-Options

Instances

5

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://web.vortex.data.microsoft.com/collect/v1?ext-javascript-msfpc=%27ID%253Df82a10690ebc4adfaba84fef45e66534%2526CS%253D2%2526LV%253D201703%2526V%253D1%27

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

URL

https://web.vortex.data.microsoft.com/collect/v1

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, no-store

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://web.vortex.data.microsoft.com/collect/v1/t.js?name=%27Ms.Webi.PageView%27&-ver=%271.0%27&-impressionGuid=%27de939140-2ee8-4e57-81e4-b538ff221036%27&-pageName=%27sql%27&-uri=%27https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql%27&-referrerUri=%27https%3A%2F%2Fwww.google.com%2F%27&-resHeight=1080&-resWidth=1920&-pageTags=%27%7B%22asst%22%3A%22658039ec-8dc2-4251-bc82-30ea23708cee%22%2C%22pgauth%22%3A%22rickbyh%22%2C%22pageName%22%3A%22092a9196-c45d-26e5-5a98-3fa894692666%22%2C%22pageType%22%3A%22Conceptual%22%2C%22pgpubl%22%3A%22OP%22%2C%22market%22%3A%22en-us%22%2C%22metaTags%22%3A%7B%22ms.suite%22%3A%22%22%2C%22ms.custom%22%3A%22%22%2C%22ms.tgt_pltfrm%22%3A%22%22%2C%22ms.assetid%22%3A%22658039ec-8dc2-4251-bc82-30ea23708cee%22%2C%22ms.author%22%3A%22rickbyh%22%2C%22ms.topic%22%3A%22language-reference%22%2C%22ms.date%22%3A%2206%2F28%2F2017%22%2C%22ms.technology%22%3A%22database-engine%22%2C%22ms.prod%22%3A%22sql-non-specified%22%2C%22ms.reviewer%22%3A%22%22%2C%22ms.documentid%22%3A%22092a9196-c45d-26e5-5a98-3fa894692666%22%2C%22ms.contentlang%22%3A%22en-us%22%2C%22ms.publishtime%22%3A%222017-06-28%2010%3A39%20PM%22%2C%22ms.giturl%22%3A%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fsql-docs-pr%2Fblob%2Flive%2Fdocs%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql.md%22%2C%22ms.sitename%22%3A%22Docs%22%2C%22ms.gitcommit%22%3A%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fsql-docs-pr%2Fblob%2F3a4c30cd58f262cf14a4749997b49fa46dbe0965%2Fdocs%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql.md%22%2C%22ms.depotname%22%3A%22SQL.sql-content%22%2C%22ms.opspagetype%22%3A%22Conceptual%22%2C%22ms.locale%22%3A%22en-us%22%2C%22ms.lang%22%3A%22en%22%2C%22ms.loc%22%3A%22us%22%2C%22ms.theme%22%3A%22light%22%2C%22ms.contentsource%22%3A%22OP%22%2C%22ms.pvid%22%3A%2273F3553B-0EEE-4497-9962-C34B18E03D63%22%2C%22ms.perf.timing%22%3A%22%2C%2C0%2C31%2C80%2C80%2C853%2C859%2C890%2C1736%2C1739%2C%2C%2C%2C%22%7D%7D%27&-behavior=0&*baseType=%27Ms.Content.PageView%27&*cookieEnabled=true&*cookies=%27MSFPC%3DID%3Df82a10690ebc4adfaba84fef45e66534%26CS%3D2%26LV%3D201703%26V%3D1%3B%27&*isJs=true&*title=%27CASE%20(Transact-SQL)%20%7C%20Microsoft%20Docs%27&*isLoggedIn=false&*flashInstalled=false&ver=%272.1%27&time=%272017-06-30T19%3A58%3A34.121Z%27&os=%27MacOS%27&appId=%27JS%3ADocs%27&ext-javascript-ver=%271.1%27&ext-javascript-libVer=%274.1.0%27&ext-javascript-domain=%27docs.microsoft.com%27&ext-javascript-msfpc=%27ID%3Df82a10690ebc4adfaba84fef45e66534%26CS%3D2%26LV%3D201703%26V%3D1%27&ext-user-localId=%27t%3A0A707E40155B60CE38E47478115B632B%27

    Method

GET

    Parameter

MS0

    Evidence

Set-Cookie: MS0

Instances

1

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://web.vortex.data.microsoft.com/collect/v1/t.js?name=%27Ms.Webi.PageView%27&-ver=%271.0%27&-impressionGuid=%27de939140-2ee8-4e57-81e4-b538ff221036%27&-pageName=%27sql%27&-uri=%27https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql%27&-referrerUri=%27https%3A%2F%2Fwww.google.com%2F%27&-resHeight=1080&-resWidth=1920&-pageTags=%27%7B%22asst%22%3A%22658039ec-8dc2-4251-bc82-30ea23708cee%22%2C%22pgauth%22%3A%22rickbyh%22%2C%22pageName%22%3A%22092a9196-c45d-26e5-5a98-3fa894692666%22%2C%22pageType%22%3A%22Conceptual%22%2C%22pgpubl%22%3A%22OP%22%2C%22market%22%3A%22en-us%22%2C%22metaTags%22%3A%7B%22ms.suite%22%3A%22%22%2C%22ms.custom%22%3A%22%22%2C%22ms.tgt_pltfrm%22%3A%22%22%2C%22ms.assetid%22%3A%22658039ec-8dc2-4251-bc82-30ea23708cee%22%2C%22ms.author%22%3A%22rickbyh%22%2C%22ms.topic%22%3A%22language-reference%22%2C%22ms.date%22%3A%2206%2F28%2F2017%22%2C%22ms.technology%22%3A%22database-engine%22%2C%22ms.prod%22%3A%22sql-non-specified%22%2C%22ms.reviewer%22%3A%22%22%2C%22ms.documentid%22%3A%22092a9196-c45d-26e5-5a98-3fa894692666%22%2C%22ms.contentlang%22%3A%22en-us%22%2C%22ms.publishtime%22%3A%222017-06-28%2010%3A39%20PM%22%2C%22ms.giturl%22%3A%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fsql-docs-pr%2Fblob%2Flive%2Fdocs%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql.md%22%2C%22ms.sitename%22%3A%22Docs%22%2C%22ms.gitcommit%22%3A%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fsql-docs-pr%2Fblob%2F3a4c30cd58f262cf14a4749997b49fa46dbe0965%2Fdocs%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql.md%22%2C%22ms.depotname%22%3A%22SQL.sql-content%22%2C%22ms.opspagetype%22%3A%22Conceptual%22%2C%22ms.locale%22%3A%22en-us%22%2C%22ms.lang%22%3A%22en%22%2C%22ms.loc%22%3A%22us%22%2C%22ms.theme%22%3A%22light%22%2C%22ms.contentsource%22%3A%22OP%22%2C%22ms.pvid%22%3A%2273F3553B-0EEE-4497-9962-C34B18E03D63%22%2C%22ms.perf.timing%22%3A%22%2C%2C0%2C31%2C80%2C80%2C853%2C859%2C890%2C1736%2C1739%2C%2C%2C%2C%22%7D%7D%27&-behavior=0&*baseType=%27Ms.Content.PageView%27&*cookieEnabled=true&*cookies=%27MSFPC%3DID%3Df82a10690ebc4adfaba84fef45e66534%26CS%3D2%26LV%3D201703%26V%3D1%3B%27&*isJs=true&*title=%27CASE%20(Transact-SQL)%20%7C%20Microsoft%20Docs%27&*isLoggedIn=false&*flashInstalled=false&ver=%272.1%27&time=%272017-06-30T19%3A58%3A34.121Z%27&os=%27MacOS%27&appId=%27JS%3ADocs%27&ext-javascript-ver=%271.1%27&ext-javascript-libVer=%274.1.0%27&ext-javascript-domain=%27docs.microsoft.com%27&ext-javascript-msfpc=%27ID%3Df82a10690ebc4adfaba84fef45e66534%26CS%3D2%26LV%3D201703%26V%3D1%27&ext-user-localId=%27t%3A0A707E40155B60CE38E47478115B632B%27

    Method

GET

    Parameter

MS0

    Evidence

Set-Cookie: MS0

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://widgets.membership.s-msft.com/v1/loader.js?brand=Msdn&lang=en-US

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://widgets.services.microsoft.com/v1/jquery.textfill.js?brand=Msdn&lang=en-US&ver=4.9.0.0

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://widgets.services.microsoft.com/v1/usercard.css?brand=Msdn&lang=en-US&ver=4.9.0.0

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://widgets.services.microsoft.com/v1/jquery.timeago.js?brand=Msdn&lang=en-US&ver=4.9.0.0

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://widgets.services.microsoft.com/v1/UnifiedBaseballCard.css?brand=Msdn&lang=en-US&ver=4.9.0.0

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://widgets.services.microsoft.com/v1/user/usercard/?id=9054b6bb42694aa7828922c33d9cd059,d1229d9a54bf4912aec9f7b7e2270901,5518774e7b534a9d9821eb523c9a038f&lang=en-US&brand=Msdn&callback=jsonp_loadUserData0

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://widgets.services.microsoft.com/v1/widgets.js?brand=Msdn&lang=en-US&ver=4.9.0.0

    Method

GET

    Parameter

X-Content-Type-Options

Instances

6

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://widgets.services.microsoft.com/v1/user/usercard/?id=9054b6bb42694aa7828922c33d9cd059,d1229d9a54bf4912aec9f7b7e2270901,5518774e7b534a9d9821eb523c9a038f&lang=en-US&brand=Msdn&callback=jsonp_loadUserData0

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=600

URL

https://widgets.services.microsoft.com/v1/usercard.css?brand=Msdn&lang=en-US&ver=4.9.0.0

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=2592000

URL

https://widgets.services.microsoft.com/v1/UnifiedBaseballCard.css?brand=Msdn&lang=en-US&ver=4.9.0.0

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=2592000

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://widgets.wp.com/likes/master.html?ver=20170206

    Method

GET

    Parameter

Cache-Control

URL

https://widgets.wp.com/likes/

    Method

GET

    Parameter

Cache-Control

URL

https://widgets.wp.com/likes/style.css?ver=20170206

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://widgets.wp.com/likes/

    Method

GET

    Parameter

X-XSS-Protection

URL

https://widgets.wp.com/likes/master.html?ver=20170206

    Method

GET

    Parameter

X-XSS-Protection

Instances

2

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://widgets.wp.com/likes/likes-rest.js?ver=20170206

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://widgets.wp.com/likes/master.html?ver=20170206

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://widgets.wp.com/likes/style.css?ver=20170206

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://widgets.wp.com/likes/

    Method

GET

    Parameter

X-Content-Type-Options

Instances

4

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://www.adsensecustomsearchads.com/afs/ads?q=screwpop&adpage=1&ccfn=amazon_numbered_three_column_for_non_Search&r=m&fexp=21404%2C17300003&client=amazon&channel=g-channel-79%2Bg-channel-223&hl=en&adtest=off&type=0&oe=UTF-8&ie=UTF-8&jsei=3&format=n3&ad=n3&nocache=3301498854698925&num=0&output=uds_ads_only&v=3&bsl=10&u_his=4&u_tz=-420&dt=1498854698929&u_w=1920&u_h=1080&biw=-12245933&bih=-12245933&isw=1255&ish=1&psw=1255&psh=0&frm=2&uio=uv3-&jsv=18065&rurl=https%3A%2F%2Fd14qd3he45186l.cloudfront.net%2Fads-search32.html&referer=www.amazon.com

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=3600

URL

https://www.adsensecustomsearchads.com/afs/ads?q=screwpop&adpage=1&ccfn=amazon_numbered&r=m&fexp=21404%2C17300003&client=amazon&channel=g-channel-92%2Bg-channel-136%2Bg-channel-334&hl=en&adtest=off&type=0&oe=UTF-8&ie=UTF-8&jsei=3&format=n4&ad=n4&nocache=151498854653972&num=0&output=uds_ads_only&v=3&bsl=10&u_his=3&u_tz=-420&dt=1498854653973&u_w=1920&u_h=1080&biw=-12245933&bih=-12245933&isw=1059&ish=1&psw=1059&psh=0&frm=2&uio=uv3-&jsv=18065&rurl=https%3A%2F%2Fd14qd3he45186l.cloudfront.net%2Fads-search32.html&referer=www.amazon.com

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=3600

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://www.adsensecustomsearchads.com/afs/ads?q=screwpop&adpage=1&ccfn=amazon_numbered_three_column_for_non_Search&r=m&fexp=21404%2C17300003&client=amazon&channel=g-channel-79%2Bg-channel-223&hl=en&adtest=off&type=0&oe=UTF-8&ie=UTF-8&jsei=3&format=n3&ad=n3&nocache=3301498854698925&num=0&output=uds_ads_only&v=3&bsl=10&u_his=4&u_tz=-420&dt=1498854698929&u_w=1920&u_h=1080&biw=-12245933&bih=-12245933&isw=1255&ish=1&psw=1255&psh=0&frm=2&uio=uv3-&jsv=18065&rurl=https%3A%2F%2Fd14qd3he45186l.cloudfront.net%2Fads-search32.html&referer=www.amazon.com

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.adsensecustomsearchads.com/afs/ads?q=screwpop&adpage=1&ccfn=amazon_numbered&r=m&fexp=21404%2C17300003&client=amazon&channel=g-channel-92%2Bg-channel-136%2Bg-channel-334&hl=en&adtest=off&type=0&oe=UTF-8&ie=UTF-8&jsei=3&format=n4&ad=n4&nocache=151498854653972&num=0&output=uds_ads_only&v=3&bsl=10&u_his=3&u_tz=-420&dt=1498854653973&u_w=1920&u_h=1080&biw=-12245933&bih=-12245933&isw=1059&ish=1&psw=1059&psh=0&frm=2&uio=uv3-&jsv=18065&rurl=https%3A%2F%2Fd14qd3he45186l.cloudfront.net%2Fads-search32.html&referer=www.amazon.com

    Method

GET

    Parameter

X-Content-Type-Options

Instances

2

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=&height=585&width=1291&_=1498854648687

    Method

GET

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=https%3A%2F%2Fwww.amazon.com%2F&height=585&width=1291&_=1498854652085

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/overlay/display.html

    Method

POST

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/Screwpop-Utility-Stainless-Multi-tool-Bottle/dp/B00UZHT432/ref=sr_1_2?ie=UTF8&qid=1498854649&sr=8-2&keywords=screwpop

    Method

GET

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=PW8F1ESSKAR2GQ8GZJ2T&hostPageType=Detail&_=1498854696891

    Method

GET

    Parameter

session-id

    Evidence

Set-cookie: session-id

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?timelineTooltipContent=timelinetooltip&metricKey=timelineTooltipMetric&rid=PW8F1ESSKAR2GQ8GZJ2T&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854697287

    Method

GET

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?timelineTooltipContent=timelinetooltip&metricKey=timelineTooltipMetric&rid=PW8F1ESSKAR2GQ8GZJ2T&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854697287

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=&height=585&width=1291&_=1498854648687

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/ls/impress.html/ref=vas_lux_zip_refresh_?hitType=popUp

    Method

GET

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=&height=585&width=1291&_=1498854648687

    Method

GET

    Parameter

session-id

    Evidence

Set-cookie: session-id

URL

https://www.amazon.com/gp/overlay/display.html

    Method

POST

    Parameter

session-id

    Evidence

Set-cookie: session-id

URL

https://www.amazon.com/gp/ls/impress.html/ref=vas_lux_zip_refresh_?hitType=popUp

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=PW8F1ESSKAR2GQ8GZJ2T&hostPageType=Detail&_=1498854696891

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=https%3A%2F%2Fwww.amazon.com%2F&height=585&width=1291&_=1498854652085

    Method

GET

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/gp/ls/impress.html/ref=vas_lux_zip_refresh_?hitType=popUp

    Method

GET

    Parameter

session-id

    Evidence

Set-cookie: session-id

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=GKMGFN1489QZA1RTH1M3&hostPageType=Search&_=1498854651909

    Method

GET

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?cartItems=cart&rid=GKMGFN1489QZA1RTH1M3&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854653262

    Method

GET

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/gp/cerberus/log/gv/mid/ATVPDKIKX0DER/asin/B00UZHT432/rc/19/subs/-/dev/WEB

    Method

POST

    Parameter

session-id

    Evidence

Set-cookie: session-id

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?cartItems=cart&rid=GKMGFN1489QZA1RTH1M3&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854653262

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=https%3A%2F%2Fwww.amazon.com%2Fs%2Fref%3Dnb_sb_noss%3Furl%3Dsearch-alias%253Daps%26field-keywords%3Dscrewpop&height=585&width=1291&_=1498854697828

    Method

GET

    Parameter

session-id

    Evidence

Set-cookie: session-id

Instances

44

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://www.amazon.com/Screwpop-Utility-Stainless-Multi-tool-Bottle/dp/B00UZHT432/ref=sr_1_2?ie=UTF8&qid=1498854649&sr=8-2&keywords=screwpop

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=https%3A%2F%2Fwww.amazon.com%2F&height=585&width=1291&_=1498854652085

    Method

GET

    Parameter

session-id

    Evidence

Set-cookie: session-id

URL

https://www.amazon.com/gp/overlay/display.html

    Method

POST

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/ls/impress.html/ref=vas_lux_zip_refresh_?hitType=popUp

    Method

GET

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=&height=585&width=1291&_=1498854648687

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?timelineTooltipContent=timelinetooltip&metricKey=timelineTooltipMetric&rid=PW8F1ESSKAR2GQ8GZJ2T&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854697287

    Method

GET

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?timelineTooltipContent=timelinetooltip&metricKey=timelineTooltipMetric&rid=PW8F1ESSKAR2GQ8GZJ2T&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854697287

    Method

GET

    Parameter

session-id

    Evidence

Set-cookie: session-id

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=&height=585&width=1291&_=1498854648687

    Method

GET

    Parameter

session-id

    Evidence

Set-cookie: session-id

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?cartItems=cart&rid=GKMGFN1489QZA1RTH1M3&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854653262

    Method

GET

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=https%3A%2F%2Fwww.amazon.com%2F&height=585&width=1291&_=1498854652085

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/Screwpop-Utility-Stainless-Multi-tool-Bottle/dp/B00UZHT432/ref=sr_1_2?ie=UTF8&qid=1498854649&sr=8-2&keywords=screwpop

    Method

GET

    Parameter

session-id

    Evidence

Set-cookie: session-id

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?cartItems=cart&rid=GKMGFN1489QZA1RTH1M3&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854653262

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=PW8F1ESSKAR2GQ8GZJ2T&hostPageType=Detail&_=1498854696891

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/ls/impress.html/ref=vas_lux_zip_refresh_?hitType=popUp

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/overlay/display.html

    Method

POST

    Parameter

session-id

    Evidence

Set-cookie: session-id

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=https%3A%2F%2Fwww.amazon.com%2F&height=585&width=1291&_=1498854652085

    Method

GET

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=GKMGFN1489QZA1RTH1M3&hostPageType=Search&_=1498854651909

    Method

GET

    Parameter

session-id-time

    Evidence

Set-cookie: session-id-time

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?timelineTooltipContent=timelinetooltip&metricKey=timelineTooltipMetric&rid=PW8F1ESSKAR2GQ8GZJ2T&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854697287

    Method

GET

    Parameter

ubid-main

    Evidence

Set-cookie: ubid-main

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?cartItems=cart&rid=GKMGFN1489QZA1RTH1M3&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854653262

    Method

GET

    Parameter

session-id

    Evidence

Set-cookie: session-id

URL

https://www.amazon.com/

    Method

GET

    Parameter

skin

    Evidence

Set-Cookie: skin

Instances

44

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://www.amazon.com/gp/overlay/display.html

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/Screwpop-Utility-Stainless-Multi-tool-Bottle/dp/B00UZHT432/ref=sr_1_2?ie=UTF8&qid=1498854649&sr=8-2&keywords=screwpop

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?timelineTooltipContent=timelinetooltip&metricKey=timelineTooltipMetric&rid=PW8F1ESSKAR2GQ8GZJ2T&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854697287

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=&height=585&width=1291&_=1498854648687

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/gp/ls/impress.html/ref=vas_lux_zip_refresh_?hitType=popUp

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=https%3A%2F%2Fwww.amazon.com%2F&height=585&width=1291&_=1498854652085

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/ddb/orders

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=PW8F1ESSKAR2GQ8GZJ2T&hostPageType=Detail&_=1498854696891

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=CG475MXMK9J7Q1W4SY8H&hostPageType=Gateway&_=1498854648376

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/gp/cerberus/log/gv/mid/ATVPDKIKX0DER/asin/B00UZHT432/rc/19/subs/-/dev/WEB

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=https%3A%2F%2Fwww.amazon.com%2Fs%2Fref%3Dnb_sb_noss%3Furl%3Dsearch-alias%253Daps%26field-keywords%3Dscrewpop&height=585&width=1291&_=1498854697828

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=screwpop

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/gp/redirection/mexico.html

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=GKMGFN1489QZA1RTH1M3&hostPageType=Search&_=1498854651909

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?cartItems=cart&rid=GKMGFN1489QZA1RTH1M3&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854653262

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.amazon.com/gp/product/sessionCacheUpdateHandler.html

    Method

POST

    Parameter

X-Content-Type-Options

Instances

17

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?timelineTooltipContent=timelinetooltip&metricKey=timelineTooltipMetric&rid=PW8F1ESSKAR2GQ8GZJ2T&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854697287

    Method

GET

    Parameter

Cache-Control

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=&height=585&width=1291&_=1498854648687

    Method

GET

    Parameter

Cache-Control

URL

https://www.amazon.com/gp/overlay/display.html

    Method

POST

    Parameter

Cache-Control

URL

https://www.amazon.com/gp/navigation/ajax/dynamic-menu.html?cartItems=cart&rid=GKMGFN1489QZA1RTH1M3&isFullWidthPrime=0&isPrime=1&dynamicRequest=1&weblabs=&isFreshRegionAndCustomer=&primeMenuWidth=450&_=1498854653262

    Method

GET

    Parameter

Cache-Control

URL

https://www.amazon.com/Screwpop-Utility-Stainless-Multi-tool-Bottle/dp/B00UZHT432/ref=sr_1_2?ie=UTF8&qid=1498854649&sr=8-2&keywords=screwpop

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache, no-transform

URL

https://www.amazon.com/gp/ls/impress.html/ref=vas_lux_zip_refresh_?hitType=popUp

    Method

GET

    Parameter

Cache-Control

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=GKMGFN1489QZA1RTH1M3&hostPageType=Search&_=1498854651909

    Method

GET

    Parameter

Cache-Control

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=CG475MXMK9J7Q1W4SY8H&hostPageType=Gateway&_=1498854648376

    Method

GET

    Parameter

Cache-Control

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=https%3A%2F%2Fwww.amazon.com%2F&height=585&width=1291&_=1498854652085

    Method

GET

    Parameter

Cache-Control

URL

https://www.amazon.com/gp/redirection/mexico.html

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.amazon.com/gp/cerberus/log/gv/mid/ATVPDKIKX0DER/asin/B00UZHT432/rc/19/subs/-/dev/WEB

    Method

POST

    Parameter

Cache-Control

URL

https://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=screwpop

    Method

GET

    Parameter

Cache-Control

URL

https://www.amazon.com/gp/prime/digital-adoption/navigation-bar?type=load&isPrime=true&referrer=https%3A%2F%2Fwww.amazon.com%2Fs%2Fref%3Dnb_sb_noss%3Furl%3Dsearch-alias%253Daps%26field-keywords%3Dscrewpop&height=585&width=1291&_=1498854697828

    Method

GET

    Parameter

Cache-Control

URL

https://www.amazon.com/

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.amazon.com/gp/product/sessionCacheUpdateHandler.html

    Method

POST

    Parameter

Cache-Control

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=PW8F1ESSKAR2GQ8GZJ2T&hostPageType=Detail&_=1498854696891

    Method

GET

    Parameter

Cache-Control

URL

https://www.amazon.com/ddb/orders

    Method

POST

    Parameter

Cache-Control

Instances

17

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://www.amazon.com/gp/cerberus/log/gv/mid/ATVPDKIKX0DER/asin/B00UZHT432/rc/19/subs/-/dev/WEB

    Method

POST

    Parameter

X-XSS-Protection

URL

https://www.amazon.com/gp/product/sessionCacheUpdateHandler.html

    Method

POST

    Parameter

X-XSS-Protection

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=CG475MXMK9J7Q1W4SY8H&hostPageType=Gateway&_=1498854648376

    Method

GET

    Parameter

X-XSS-Protection

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=GKMGFN1489QZA1RTH1M3&hostPageType=Search&_=1498854651909

    Method

GET

    Parameter

X-XSS-Protection

URL

https://www.amazon.com/gp/ls/impress.html/ref=vas_lux_zip_refresh_?hitType=popUp

    Method

GET

    Parameter

X-XSS-Protection

URL

https://www.amazon.com/gp/overlay/display.html

    Method

POST

    Parameter

X-XSS-Protection

URL

https://www.amazon.com/Screwpop-Utility-Stainless-Multi-tool-Bottle/dp/B00UZHT432/ref=sr_1_2?ie=UTF8&qid=1498854649&sr=8-2&keywords=screwpop

    Method

GET

    Parameter

X-XSS-Protection

URL

https://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=screwpop

    Method

GET

    Parameter

X-XSS-Protection

URL

https://www.amazon.com/gp/redirection/mexico.html

    Method

POST

    Parameter

X-XSS-Protection

URL

https://www.amazon.com/

    Method

GET

    Parameter

X-XSS-Protection

URL

https://www.amazon.com/gp/navcart/sidebar?ie=UTF8&hostPageRID=PW8F1ESSKAR2GQ8GZJ2T&hostPageType=Detail&_=1498854696891

    Method

GET

    Parameter

X-XSS-Protection

Instances

11

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://www.dropbox.com/file_activity/file_activity?is_xhr=true&activity_context=1&activity_context_data=https%3A%2F%2Fwww.dropbox.com%2Fs%2Fais77xrqqv7f30z%2FShopify%2520order%2520export%2520as%2520of%25202017-06-19.zip%3Fdl%3D0

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.dropbox.com/s/ais77xrqqv7f30z/Shopify%20order%20export%20as%20of%202017-06-19.zip?dl=0

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.dropbox.com/alternate_wtl

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.dropbox.com/file_activity/file_activity?is_xhr=true&activity_context=1&activity_context_data=https%3A%2F%2Fwww.dropbox.com%2Fs%2F1lm3jbgkve7jq9n%2FiTickets%2520Orders%2520Export%25202017-06-19.csv%3Fdl%3D0

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.dropbox.com/sso_state

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.dropbox.com/s/1lm3jbgkve7jq9n/iTickets%20Orders%20Export%202017-06-19.csv?dl=0

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.dropbox.com/2/seen_state/logged_out/get_pass_status

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache

Instances

7

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Password Autocomplete in Browser

Description

The AUTOCOMPLETE attribute is not disabled on an HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.

URL

https://www.dropbox.com/s/ais77xrqqv7f30z/Shopify%20order%20export%20as%20of%202017-06-19.zip?dl=0

    Method

GET

    Parameter

pyxl3053720554894070202

    Evidence

<input class="password-input text-input-input" type="password" id="pyxl3053720554894070202" name="login_password" />

URL

https://www.dropbox.com/s/1lm3jbgkve7jq9n/iTickets%20Orders%20Export%202017-06-19.csv?dl=0

    Method

GET

    Parameter

pyxl7960577390556712091

    Evidence

<input class="password-input text-input-input" type="password" id="pyxl7960577390556712091" name="login_password" />

URL

https://www.dropbox.com/s/1lm3jbgkve7jq9n/iTickets%20Orders%20Export%202017-06-19.csv?dl=0

    Method

GET

    Parameter

pyxl7960577390556712150

    Evidence

<input class="password-input text-input-input" type="password" id="pyxl7960577390556712150" name="login_password" />

URL

https://www.dropbox.com/s/ais77xrqqv7f30z/Shopify%20order%20export%20as%20of%202017-06-19.zip?dl=0

    Method

GET

    Parameter

pyxl3053720554894070162

    Evidence

<input class="password-input text-input-input" type="password" id="pyxl3053720554894070162" name="login_password" />

URL

https://www.dropbox.com/s/1lm3jbgkve7jq9n/iTickets%20Orders%20Export%202017-06-19.csv?dl=0

    Method

GET

    Parameter

pyxl7960577390556712010

    Evidence

<input class="password-input text-input-input" type="password" id="pyxl7960577390556712010" name="login_password" />

URL

https://www.dropbox.com/s/ais77xrqqv7f30z/Shopify%20order%20export%20as%20of%202017-06-19.zip?dl=0

    Method

GET

    Parameter

pyxl3053720554894070302

    Evidence

<input class="password-input text-input-input" type="password" id="pyxl3053720554894070302" name="login_password" />

URL

https://www.dropbox.com/s/1lm3jbgkve7jq9n/iTickets%20Orders%20Export%202017-06-19.csv?dl=0

    Method

GET

    Parameter

pyxl7960577390556712050

    Evidence

<input class="password-input text-input-input" type="password" id="pyxl7960577390556712050" name="login_password" />

URL

https://www.dropbox.com/s/ais77xrqqv7f30z/Shopify%20order%20export%20as%20of%202017-06-19.zip?dl=0

    Method

GET

    Parameter

pyxl3053720554894070243

    Evidence

<input class="password-input text-input-input" type="password" id="pyxl3053720554894070243" name="login_password" />

Instances

8

Solution

Turn off the AUTOCOMPLETE attribute in forms or individual input elements containing password inputs by using AUTOCOMPLETE='OFF'.

Reference

http://www.w3schools.com/tags/att_input_autocomplete.asp

https://msdn.microsoft.com/en-us/library/ms533486%28v=vs.85%29.aspx

CWE Id

525

WASC Id

15

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://www.dropbox.com/s/1lm3jbgkve7jq9n/iTickets%20Orders%20Export%202017-06-19.csv?dl=0

    Method

GET

    Parameter

https://www.google.com/recaptcha/api.js?onload=recaptchaOnloadCallback&render=explicit

    Evidence

<script nonce="9Hmx5o/sI6F9CYSvim6j" src="https://www.google.com/recaptcha/api.js?onload=recaptchaOnloadCallback&amp;render=explicit" nonce="DW5UIDMYBWze3PQ+jPW1"></script>

URL

https://www.dropbox.com/s/ais77xrqqv7f30z/Shopify%20order%20export%20as%20of%202017-06-19.zip?dl=0

    Method

GET

    Parameter

https://cfl.dropboxstatic.com/static/compiled/js/alameda_bundle.min-vfl1lPBgl.js

    Evidence

<script async="async" type="text/javascript" src="https://cfl.dropboxstatic.com/static/compiled/js/alameda_bundle.min-vfl1lPBgl.js" nonce="DW5UIDMYBWze3PQ+jPW1"></script>

URL

https://www.dropbox.com/s/ais77xrqqv7f30z/Shopify%20order%20export%20as%20of%202017-06-19.zip?dl=0

    Method

GET

    Parameter

https://www.google.com/recaptcha/api.js?onload=recaptchaOnloadCallback&render=explicit

    Evidence

<script nonce="9Hmx5o/sI6F9CYSvim6j" src="https://www.google.com/recaptcha/api.js?onload=recaptchaOnloadCallback&amp;render=explicit" nonce="DW5UIDMYBWze3PQ+jPW1"></script>

URL

https://www.dropbox.com/s/1lm3jbgkve7jq9n/iTickets%20Orders%20Export%202017-06-19.csv?dl=0

    Method

GET

    Parameter

https://cfl.dropboxstatic.com/static/compiled/js/alameda_bundle.min-vfl1lPBgl.js

    Evidence

<script async="async" type="text/javascript" src="https://cfl.dropboxstatic.com/static/compiled/js/alameda_bundle.min-vfl1lPBgl.js" nonce="DW5UIDMYBWze3PQ+jPW1"></script>

Instances

4

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://www.exacttargetapis.com/automation/v1/automations/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow?view=targetObjects&_=1498843507052

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/internal/v1/campaigns/assets/?AssetObjectIds=dea753c0-855b-e711-82f4-00110a68cc95

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/internal/v1/customobjects/category/33262/?retrievalType=1&$page=1&$pagesize=25&$orderBy=Name%20DESC%20&_=1498846262696

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/internal/v1/customobjects/category/33262/?retrievalType=1&$page=1&$pagesize=50&$orderBy=Name%20DESC%20&_=1498846262697

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/contacts/v1/customObject/dea753c0-855b-e711-82f4-00110a68cc95/isUsedInContacts?_=1498846262712

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/automation/v1/folders/?$filter=categorytype%20eq%20importdefinitions&_=1498843507436

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/platform-internal/v1/userkeystore/@me?_=1498843195701

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/internal/v1/keyStore/DEGridSort

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/platform-internal/v1/calendar-eventtypes?mids=all&_=1498843195697

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/internal/v1/async/asyncactivitylog/active/?&ActivityObjectIds=ffd37766-1e5d-e711-82f4-00110a68cc95,5825b537-d25d-e711-82f4-00110a68cc95,b6da2eb0-1556-e711-82f4-00110a68cc95,f0ab1094-a857-e711-82f4-00110a68cc95

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/hub-internal/v1/campaigns/?%24pageSize=50&%24page=1&_=1498846256637

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/internal/v1/campaigns/assets/?&AssetObjectIds=f0ab1094-a857-e711-82f4-00110a68cc95,dea753c0-855b-e711-82f4-00110a68cc95,b6da2eb0-1556-e711-82f4-00110a68cc95,ffd37766-1e5d-e711-82f4-00110a68cc95

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com//internal/v1/customobjects/dea753c0-855b-e711-82f4-00110a68cc95/copy

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/internal/v1/customobjects/6ea8653b-d75d-e711-82f4-00110a68cc95/fields/

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/automation/v1/folders/?$filter=categorytype%20eq%20userinitiatedsends&_=1498843507519

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/automation/v1/folders/?$filter=categorytype%20eq%20ssjsactivity&_=1498843507407

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/internal/v1/customobjects/category/33262/?retrievalType=1&$page=1&$pagesize=25&$orderBy=Name%20ASC%20&_=1498855402465

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/automation/v1/folders/?$filter=categorytype%20eq%20dataextracts&_=1498843507438

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/internal/v1/customobjects/category/33262/?retrievalType=1&$page=1&$pagesize=25&$orderBy=Name%20ASC%20&_=1498855402478

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.exacttargetapis.com/automation/v1/folders/?$filter=categorytype%20eq%20dataextracts&_=1498843507522

    Method

GET

    Parameter

X-Content-Type-Options

Instances

202

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://www.exacttargetapis.com/internal/v1/campaigns/assets/?&AssetObjectIds=f0ab1094-a857-e711-82f4-00110a68cc95,dea753c0-855b-e711-82f4-00110a68cc95,b6da2eb0-1556-e711-82f4-00110a68cc95,ffd37766-1e5d-e711-82f4-00110a68cc95

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/automation/v1/folders/?$filter=categorytype%20eq%20importdefinitions&_=1498843507436

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/automation/v1/folders/?$filter=categorytype%20eq%20userinitiatedsends&_=1498843507519

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/platform-internal/v1/calendar-eventtypes?mids=all&_=1498843195697

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/internal/v1/customobjects/category/33262/?retrievalType=1&$page=1&$pagesize=25&$orderBy=Name%20ASC%20&_=1498855402462

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/internal/v1/campaigns/assets/?AssetObjectIds=dea753c0-855b-e711-82f4-00110a68cc95

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/internal/v1/customobjects/category/33262/?retrievalType=1&$page=1&$pagesize=25&$orderBy=Name%20ASC%20&_=1498855402498

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/internal/v1/customobjects/category/33262/?retrievalType=1&$page=1&$pagesize=25&$orderBy=Name%20ASC%20&_=1498855402474

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/platform-internal/v1/userkeystore/@me?_=1498843195701

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/internal/v1/customobjects/category/33262/?retrievalType=1&$page=1&$pagesize=25&$orderBy=Name%20DESC%20&_=1498846262696

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/automation/v1/automations/MEVqdkxLT1Y5a08zeUFNS283U0hhZzoyNTow?view=targetObjects&_=1498843507052

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/internal/v1/async/asyncactivitylog/active/?&ActivityObjectIds=ffd37766-1e5d-e711-82f4-00110a68cc95,5825b537-d25d-e711-82f4-00110a68cc95,6ea8653b-d75d-e711-82f4-00110a68cc95,b6da2eb0-1556-e711-82f4-00110a68cc95,f0ab1094-a857-e711-82f4-00110a68cc95

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/automation/v1/folders/?$filter=categorytype%20eq%20importdefinitions&_=1498843507520

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/contacts/v1/customObject/dea753c0-855b-e711-82f4-00110a68cc95/isUsedInContacts?_=1498846262701

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/internal/v1/customobjects/category/2890/?retrievalType=1&$page=1&$pagesize=25&$orderBy=Name%20DESC%20&_=1498846262688

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/internal/v1/campaigns/assets/?&AssetObjectIds=5560abcc-d756-e711-82f4-00110a68cc95

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/internal/v1/async/asyncactivitylog/active/?&ActivityObjectIds=ffd37766-1e5d-e711-82f4-00110a68cc95,5825b537-d25d-e711-82f4-00110a68cc95,b6da2eb0-1556-e711-82f4-00110a68cc95,f0ab1094-a857-e711-82f4-00110a68cc95

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/automation/v1/folders/?$filter=categorytype%20eq%20queryactivity&_=1498843507405

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/internal/v1/customobjects/category/33262/?retrievalType=1&$page=1&$pagesize=25&$orderBy=Name%20ASC%20&_=1498855402496

    Method

GET

    Parameter

Cache-Control

URL

https://www.exacttargetapis.com/automation/v1/folders/?$filter=categorytype%20eq%20importdefinitions&_=1498843507402

    Method

GET

    Parameter

Cache-Control

Instances

202

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3/yt/r/ZN280OoKfkk.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3/yt/r/ZN280OoKfkk.js" data-bootloader-hash="TLhvo" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;TLhvo&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;TLhvo&quot;]=1"></script>

URL

https://www.facebook.com/v2.8/plugins/page.php?adapt_container_width=true&app_id=286393578041613&channel=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df9ab33c2f793c8%26domain%3Dvinjabond.com%26origin%3Dhttp%253A%252F%252Fvinjabond.com%252Ff31d30a8bb74a4%26relation%3Dparent.parent&container_width=548&hide_cover=false&href=https%3A%2F%2Fwww.facebook.com%2Fjohnvinjabondcain%2F&locale=en_US&sdk=joey&show_facepile=false&small_header=false&width=500

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3/yd/r/SF85zCRVpwf.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3/yd/r/SF85zCRVpwf.js" data-bootloader-hash="w/6qa" crossorigin="anonymous"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3iNIQ4/yV/l/en_US/d7xO5gp4e2l.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3iNIQ4/yV/l/en_US/d7xO5gp4e2l.js" data-bootloader-hash="EGRm7" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;EGRm7&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;EGRm7&quot;]=1"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3iSqh4/yV/l/en_US/MXM1T_-MIoX.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3iSqh4/yV/l/en_US/MXM1T_-MIoX.js" data-bootloader-hash="s6Foj" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;s6Foj&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;s6Foj&quot;]=1"></script>

URL

https://www.facebook.com/v2.8/plugins/page.php?adapt_container_width=true&app_id=286393578041613&channel=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df9ab33c2f793c8%26domain%3Dvinjabond.com%26origin%3Dhttp%253A%252F%252Fvinjabond.com%252Ff31d30a8bb74a4%26relation%3Dparent.parent&container_width=548&hide_cover=false&href=https%3A%2F%2Fwww.facebook.com%2Fjohnvinjabondcain%2F&locale=en_US&sdk=joey&show_facepile=false&small_header=false&width=500

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3ijgt4/y0/l/en_US/HN0AKqrlo0X.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3ijgt4/y0/l/en_US/HN0AKqrlo0X.js" data-bootloader-hash="hzeOE" crossorigin="anonymous"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3i1vq4/yD/l/en_US/Ku9LvGs4Hav.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3i1vq4/yD/l/en_US/Ku9LvGs4Hav.js" data-bootloader-hash="tKmvR" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;tKmvR&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;tKmvR&quot;]=1"></script>

URL

https://www.facebook.com/v2.8/plugins/page.php?adapt_container_width=true&app_id=286393578041613&channel=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df9ab33c2f793c8%26domain%3Dvinjabond.com%26origin%3Dhttp%253A%252F%252Fvinjabond.com%252Ff31d30a8bb74a4%26relation%3Dparent.parent&container_width=548&hide_cover=false&href=https%3A%2F%2Fwww.facebook.com%2Fjohnvinjabondcain%2F&locale=en_US&sdk=joey&show_facepile=false&small_header=false&width=500

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3/y9/r/uxQui0dKe4W.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3/y9/r/uxQui0dKe4W.js" data-bootloader-hash="3HIS5" crossorigin="anonymous"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3/yX/r/GesSbjp91dh.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3/yX/r/GesSbjp91dh.js" data-bootloader-hash="iJgAe" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;iJgAe&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;iJgAe&quot;]=1"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3iteM4/yC/l/en_US/BsLUlDIN_iw.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3iteM4/yC/l/en_US/BsLUlDIN_iw.js" data-bootloader-hash="4lYeP" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;4lYeP&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;4lYeP&quot;]=1"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3iY6i4/yq/l/en_US/6WnEgd03aDg.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3iY6i4/yq/l/en_US/6WnEgd03aDg.js" data-bootloader-hash="cUaRZ" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;cUaRZ&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;cUaRZ&quot;]=1"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3/yR/r/NQRnhW7HDwe.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3/yR/r/NQRnhW7HDwe.js" data-bootloader-hash="n3CYQ" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;n3CYQ&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;n3CYQ&quot;]=1"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3iYIk4/yL/l/en_US/T5GcHs9sp5r.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3iYIk4/yL/l/en_US/T5GcHs9sp5r.js" data-bootloader-hash="1nOjW" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;1nOjW&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;1nOjW&quot;]=1"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3iCqh4/yi/l/en_US/jEyDUcX-E3S.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3iCqh4/yi/l/en_US/jEyDUcX-E3S.js" data-bootloader-hash="cY0cv" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;cY0cv&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;cY0cv&quot;]=1"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3irK-4/y2/l/en_US/IjvLCZVK31E.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3irK-4/y2/l/en_US/IjvLCZVK31E.js" data-bootloader-hash="0pWkE" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;0pWkE&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;0pWkE&quot;]=1"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3/y2/r/An9qpkLvRCM.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3/y2/r/An9qpkLvRCM.js" data-bootloader-hash="XBra8" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;XBra8&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;XBra8&quot;]=1"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3iO6a4/yO/l/en_US/2SMPKFUF-mv.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3iO6a4/yO/l/en_US/2SMPKFUF-mv.js" data-bootloader-hash="MrTGq" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;MrTGq&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;MrTGq&quot;]=1"></script>

URL

https://www.facebook.com/v2.8/plugins/page.php?adapt_container_width=true&app_id=286393578041613&channel=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df9ab33c2f793c8%26domain%3Dvinjabond.com%26origin%3Dhttp%253A%252F%252Fvinjabond.com%252Ff31d30a8bb74a4%26relation%3Dparent.parent&container_width=548&hide_cover=false&href=https%3A%2F%2Fwww.facebook.com%2Fjohnvinjabondcain%2F&locale=en_US&sdk=joey&show_facepile=false&small_header=false&width=500

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3i3J-4/ye/l/en_US/-T7V9P95Max.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3i3J-4/ye/l/en_US/-T7V9P95Max.js" data-bootloader-hash="uokFd" crossorigin="anonymous"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3/yY/r/y4YA7aGd5lm.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3/yY/r/y4YA7aGd5lm.js" data-bootloader-hash="kbI+R" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;kbI+R&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;kbI+R&quot;]=1"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3ipgf4/y7/l/en_US/gOOgoGzUvf-.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3ipgf4/y7/l/en_US/gOOgoGzUvf-.js" data-bootloader-hash="Pugj9" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;Pugj9&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;Pugj9&quot;]=1"></script>

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

https://static.xx.fbcdn.net/rsrc.php/v3/yh/r/CeByPbGZANU.js

    Evidence

<script src="https://static.xx.fbcdn.net/rsrc.php/v3/yh/r/CeByPbGZANU.js" data-bootloader-hash="D1OqS" crossorigin="anonymous" async="1" onload=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;D1OqS&quot;]=1" onerror=";(window._btldr||(window._btldr=&#123;&#125;))[&quot;D1OqS&quot;]=1"></script>

Instances

70

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://www.facebook.com/home.php

    Method

GET

    Parameter

X-XSS-Protection

    Evidence

X-XSS-Protection: 0

URL

https://www.facebook.com/v2.8/plugins/page.php?adapt_container_width=true&app_id=286393578041613&channel=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df9ab33c2f793c8%26domain%3Dvinjabond.com%26origin%3Dhttp%253A%252F%252Fvinjabond.com%252Ff31d30a8bb74a4%26relation%3Dparent.parent&container_width=548&hide_cover=false&href=https%3A%2F%2Fwww.facebook.com%2Fjohnvinjabondcain%2F&locale=en_US&sdk=joey&show_facepile=false&small_header=false&width=500

    Method

GET

    Parameter

X-XSS-Protection

    Evidence

X-XSS-Protection: 0

URL

https://www.facebook.com/plugins/like.php?action=like&app_id=888888054527796&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Dfc4d3f9f12f224%26domain%3Dpeal.io%26origin%3Dhttps%253A%252F%252Fpeal.io%252Ff1c70fc52cfba58%26relation%3Dparent.parent&container_width=0&href=https%3A%2F%2Fwww.facebook.com%2Fpages%2FPeal%2F498043440371860&layout=button_count&locale=en_US&sdk=joey&share=false&show_faces=false

    Method

GET

    Parameter

X-XSS-Protection

    Evidence

X-XSS-Protection: 0

URL

https://www.facebook.com/v2.5/plugins/like.php?action=like&app_id=&channel=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df2318bd9123311c%26domain%3Dwww.bankshot.com%26origin%3Dhttp%253A%252F%252Fwww.bankshot.com%252Ffcdb80a5a24e7%26relation%3Dparent.parent&container_width=90&height=65&href=http%3A%2F%2Fwww.bankshot.com%2F&layout=button_count&locale=en_US&sdk=joey&share=false&show_faces=false&width=55

    Method

GET

    Parameter

X-XSS-Protection

    Evidence

X-XSS-Protection: 0

URL

https://www.facebook.com/v2.5/plugins/like.php?action=like&app_id=&channel=http%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FXBwzv5Yrm_1.js%3Fversion%3D42%23cb%3Df32dcb706915634%26domain%3Dwww.bankshot.com%26origin%3Dhttp%253A%252F%252Fwww.bankshot.com%252Ffcdb80a5a24e7%26relation%3Dparent.parent&container_width=90&height=65&href=http%3A%2F%2Fwww.bankshot.com%2F&layout=button_count&locale=en_US&sdk=joey&share=false&show_faces=false&width=55

    Method

GET

    Parameter

X-XSS-Protection

    Evidence

X-XSS-Protection: 0

Instances

5

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://www.facebook.com/pages/call_to_action/fetch_dialog_data/?id=1472477956105303&surface=pagePlugin&unit_type=VIEWER&dpr=1

    Method

POST

    Parameter

c_user

    Evidence

Set-Cookie: c_user

Instances

1

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://www.fullstory.com/s/fs.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.fullstory.com/rec/page?OrgId=1YmX&UserId=4991307971297280&Url=https%3A%2F%2Ftracker.toptal.com%2Fsignin&Base=https%3A%2F%2Ftracker.toptal.com%2Fsignin&Width=0&Height=0&ScreenWidth=1920&ScreenHeight=1080&Referrer=https%3A%2F%2Ftracker.toptal.com%2F%3Femail%3Dhdspeedfreak%2540gmail.com%26password%3Dfxdl97%26remember_me%3Don&Doctype=%3C!DOCTYPE%20html%3E&CompiledTimestamp=1498749201&Fallback=true

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.fullstory.com/rec/page

    Method

POST

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://www.fullstory.com/rec/page

    Method

POST

    Parameter

Cache-Control

URL

https://www.fullstory.com/rec/page?OrgId=1YmX&UserId=4991307971297280&Url=https%3A%2F%2Ftracker.toptal.com%2Fsignin&Base=https%3A%2F%2Ftracker.toptal.com%2Fsignin&Width=0&Height=0&ScreenWidth=1920&ScreenHeight=1080&Referrer=https%3A%2F%2Ftracker.toptal.com%2F%3Femail%3Dhdspeedfreak%2540gmail.com%26password%3Dfxdl97%26remember_me%3Don&Doctype=%3C!DOCTYPE%20html%3E&CompiledTimestamp=1498749201&Fallback=true

    Method

GET

    Parameter

Cache-Control

Instances

2

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=ba&oit=1&cp=2&pgcl=7&gs_rn=42&psi=qmZFC-WV_nmDAaB1&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=tsql+convert+sma&oit=4&cp=16&pgcl=7&gs_rn=42&psi=EBmcj7p7fyfny2_b&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=tsql+convert&oit=4&cp=12&pgcl=7&gs_rn=42&psi=EBmcj7p7fyfny2_b&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?sclient=psy-ab&safe=off&q=datetime+smalldatetime+&oq=&gs_l=&pbx=1&bav=on.2,or.r_cp.&fp=26a95a74edbeea07&biw=1350&bih=575&pf=p&gs_rn=64&gs_ri=psy-ab&tok=QYhM0pHq8Tr4qEcFjPYlIg&pq=datetime%20smalldatetime&cp=23&gs_id=6&xhr=t&tch=1&ech=1&psi=-5JWWeWwK4bQjAOohLn4CA.1498845949463.1

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=tsal+&oit=1&cp=5&pgcl=7&gs_rn=42&psi=jw_WNZOY4IwSDfX0&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=rick+and+morty+s&oit=4&cp=16&pgcl=7&gs_rn=42&psi=JRnzu-d8KiaT9t04&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=https%3A%2F%2Fapi.trell&oit=3&cp=17&pgcl=7&gs_rn=42&psi=2XD8byJ7j4Y06qpO&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/async/newtab?ei=Ra1WWbb8PJG0jwOWxZ2oAQ&espv=2&yv=2&async=es_dfp:8eb83c554b840a75,xid:1,_fmt:json

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=cas&oit=1&cp=3&pgcl=4&gs_rn=42&psi=jw_WNZOY4IwSDfX0&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=banksh&oit=1&cp=6&url=http%3A%2F%2Fwww.bankshot.com%2F&pgcl=4&gs_rn=42&psi=qmZFC-WV_nmDAaB1&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?sclient=psy-ab&safe=off&q=bankshot+app&oq=&gs_l=&pbx=1&bav=on.2,or.r_cp.&fp=68c41d0b6990b646&biw=1306&bih=585&pf=p&gs_rn=64&gs_ri=psy-ab&gs_mss=bankshot%20ap&tok=AANld7J7T1WKlhTwlj_0Eg&pq=bankshot&cp=12&gs_id=g&xhr=t&tch=1&ech=4&psi=i8pWWdKrJM6-jwORyJrICA.1498860173472.1

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=shopify+salesfo&oit=4&cp=15&pgcl=7&gs_rn=42&psi=yCOmI5wfjDTfGZrG&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=tsql+datetime+cast&oit=4&cp=18&pgcl=7&gs_rn=42&psi=jw_WNZOY4IwSDfX0&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=rick+&oit=1&cp=5&pgcl=7&gs_rn=42&psi=JRnzu-d8KiaT9t04&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=cast&oit=1&cp=4&pgcl=4&gs_rn=42&psi=jw_WNZOY4IwSDfX0&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0ahUKEwj4k7i0subUAhVG82MKHUJLCLwQFghFMAE&url=https%3A%2F%2Fapps.shopify.com%2Fintegrations%2Fsalesforce&usg=AFQjCNGWRo1AdR3_tLfD5JHtjklmXB6BaA

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://www.google.com/search?q=bankshot&oq=bankshot&aqs=chrome..69i57j0l5.2188j0j7&sourceid=chrome&ie=UTF-8

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=datetime+smalldat&oit=4&cp=17&pgcl=4&gs_rn=42&psi=_XFUZmAMDhhwxQWJ&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwj03OiKrubUAhVYHGMKHSe1DfAQFggoMAA&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql&usg=AFQjCNGg93xh13lQ-TagfAD0cxGZNZmuNg

    Method

POST

    Parameter

X-Content-Type-Options

URL

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=open+api+to+get+l&oit=4&cp=17&pgcl=7&gs_rn=42&psi=3zn_K2KF-0yv9sTj&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

    Method

GET

    Parameter

X-Content-Type-Options

Instances

384

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwiq8tqsrebUAhUG5WMKHVmXDyYQFggoMAA&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Flanguage-elements%2Fcase-transact-sql&usg=AFQjCNGg93xh13lQ-TagfAD0cxGZNZmuNg

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, must-revalidate

URL

https://www.google.com/complete/search?sclient=psy-ab&safe=off&q=bankshot+a&oq=&gs_l=&pbx=1&bav=on.2,or.r_cp.&fp=68c41d0b6990b646&biw=1306&bih=585&pf=p&gs_rn=64&gs_ri=psy-ab&tok=AANld7J7T1WKlhTwlj_0Eg&pq=bankshot&cp=10&gs_id=8&xhr=t&tch=1&ech=2&psi=i8pWWdKrJM6-jwORyJrICA.1498860173472.1

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.google.com/async/bgasy?ei=t61WWevhHIvKjwPP6LXYDg&yv=2&async=_fmt:jspb

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://www.google.com/search?q=datetime+smalldatetime&oq=datetime+smalldatetime&aqs=chrome..69i57j0l5.3366j0j4&sourceid=chrome&ie=UTF-8

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.google.com/async/bgasy?ei=jr9WWba8GsnwjwPS4qnICw&yv=2&async=_fmt:jspb

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0ahUKEwj7vP-qwubUAhVCwWMKHSKvA48QFgg5MAM&url=https%3A%2F%2Fdevelopers.google.com%2Fmaps%2Fdocumentation%2Fgeocoding%2Fintro&usg=AFQjCNEoQp87kztDFCchzqbJULtBHeHOOA

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, must-revalidate

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjs1PWruubUAhUJzGMKHdiUBmgQFggoMAA&url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F5591473%2Ferror-string-or-binary-data-would-be-truncated-when-trying-to-insert&usg=AFQjCNHEFsBoZPJwjIP3Z8MOhLS5DxZB9Q

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, must-revalidate

URL

https://www.google.com/search?q=bankshot&oq=bankshot&aqs=chrome.0.69i59j0j69i60j0l3.1415j0j4&sourceid=chrome&ie=UTF-8

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.google.com/async/bgasy?ei=Da5WWbSiMdi4jAOn6raADw&yv=2&async=_fmt:jspb

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://www.google.com/search?q=String+or+binary+data+would+be+truncated.&oq=String+or+binary+data+would+be+truncated.&aqs=chrome..69i57j0l5.652j0j7&sourceid=chrome&ie=UTF-8

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.google.com/async/bgasy?ei=6LpWWezAG4mYjwPYqZrABg&yv=2&async=_fmt:jspb

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://www.google.com/async/bgasy?ei=SK1WWaquG4bKjwPZrr6wAg&yv=2&async=_fmt:jspb

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0ahUKEwipg7ObyebUAhVM5WMKHSoSCHEQFggzMAI&url=http%3A%2F%2Fwww.bankshot.com%2F&usg=AFQjCNHMVA-YG2CtQnbiblqI4lQwdQ_bMQ

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, must-revalidate

URL

https://www.google.com/complete/search?sclient=psy-ab&safe=off&q=datetime+smalldatetime+&oq=&gs_l=&pbx=1&bav=on.2,or.r_cp.&fp=26a95a74edbeea07&biw=1350&bih=575&pf=p&gs_rn=64&gs_ri=psy-ab&tok=QYhM0pHq8Tr4qEcFjPYlIg&pq=datetime%20smalldatetime&cp=23&gs_id=6&xhr=t&tch=1&ech=1&psi=-5JWWeWwK4bQjAOohLn4CA.1498845949463.1

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.google.com/search?q=whats+my+ip&oq=whats+my+ip&aqs=chrome..69i57j0l5.1988j0j7&sourceid=chrome&ie=UTF-8

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.google.com/async/bgasy?ei=gMpWWanDFMzKjwOqpKCIBw&yv=2&async=_fmt:jspb

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0ahUKEwjT0Y-2rubUAhVR62MKHTDeDwsQFgg0MAE&url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F12099059%2Fhow-to-convert-varchar-to-datetime-in-t-sql&usg=AFQjCNGFIgQfhdEFL3G1_RPnxL1o3L8N8A

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, must-revalidate

URL

https://www.google.com/search?q=tsql+datetime+cast&oq=tsql+datetime+cast&aqs=chrome..69i57j0l5.5687j0j7&sourceid=chrome&ie=UTF-8

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.google.com/cse/static/style/look/default.css

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0ahUKEwiOw5vjj-bUAhUG8mMKHebCBmAQFghdMAY&url=http%3A%2F%2Fsearchsqlserver.techtarget.com%2Ftip%2FBasics-for-working-with-DATETIME-and-SMALLDATETIME-in-SQL-Server-2005&usg=AFQjCNEoqOMn6DJkVSJ-KSg8H_O1kpLGuA

    Method

POST

    Parameter

Cache-Control

    Evidence

no-cache, must-revalidate

Instances

71

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://www.googleapis.com/carddav/v1/principals/hdspeedfreak%40gmail.com/lists/default/

    Method

REPORT

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.googleapis.com/carddav/v1/principals/bernt%40bluenilesw.com/lists/

    Method

PROPFIND

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.googleapis.com/carddav/v1/principals/bernt%40bluenilesw.com/

    Method

PROPFIND

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.googleapis.com/carddav/v1/principals/bernt%40reddogsw.com/lists/

    Method

PROPFIND

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.googleapis.com/carddav/v1/principals/bernt%40bluenilesw.com/lists/default/

    Method

REPORT

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.googleapis.com/carddav/v1/principals/bernt%40reddogsw.com/lists/gal/

    Method

PROPFIND

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.googleapis.com/carddav/v1/principals/hdspeedfreak%40gmail.com/

    Method

PROPFIND

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.googleapis.com/carddav/v1/principals/hdspeedfreak%40gmail.com/lists/

    Method

PROPFIND

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.googleapis.com/carddav/v1/principals/bernt%40reddogsw.com/lists/default/

    Method

REPORT

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.googleapis.com/carddav/v1/principals/bernt%40reddogsw.com/

    Method

PROPFIND

    Parameter

Cache-Control

    Evidence

private, max-age=0

URL

https://www.googleapis.com/carddav/v1/principals/bernt%40bluenilesw.com/lists/gal/

    Method

PROPFIND

    Parameter

Cache-Control

    Evidence

private, max-age=0

Instances

11

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://www.googletagmanager.com/gtm.js?id=GTM-K8WT2R

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.googletagmanager.com/gtm.js?id=GTM-PJ8M5SK&gtm_auth=chlg06CfblVj204fihGEqA&gtm_preview=env-8&gtm_cookies_win=x

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.googletagmanager.com/gtm.js?id=GTM-W546ZN

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.googletagmanager.com/gtm.js?id=GTM-5CVQBG&l=gtmDataLayer

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.googletagmanager.com/gtm.js?id=GTM-P7SP4V

    Method

GET

    Parameter

X-Content-Type-Options

Instances

5

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Private IP Disclosure

Description

A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

URL

https://www.gstatic.com/_/pantheon/_/js/k=pantheon.pantheon_module_set.en_US.DZH72F7J6Vo.O/m=core,jsmod_apiui/am=AAB4AwCAABgAUIAYAECBEAbAKQCQKmABAGAYgAgAAAW4AJAQAUg/rt=j/d=1/rs=ADqnUbMOi0qQJUVd48_YSCAlKiVhSEyVZQ

    Method

GET

    Evidence

192.168.0.1

Instances

1

Solution

Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.

Other information

192.168.0.1

172.16.0.0

Reference

https://tools.ietf.org/html/rfc1918

CWE Id

200

WASC Id

13

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://www.gstatic.com/_/pantheon/_/ss/k=pantheon.pantheon_module_set.-u6824mruyzuh.L.W.O/am=AAB4AwCAABgAUIAYAECBEAbAKQCQKmABAGAYgAgAAAW4AJAQAUg/d=1/rs=ADqnUbMHLIMWgdyLZJviiUozZARFJ8GXtw

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=31536000

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://www.messenger.com/ajax/bz

    Method

POST

    Parameter

c_user

    Evidence

Set-Cookie: c_user

URL

https://www.messenger.com/ajax/bz

    Method

POST

    Parameter

wd

    Evidence

Set-Cookie: wd

Instances

2

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://www.messenger.com/ajax/bz

    Method

POST

    Parameter

wd

    Evidence

Set-Cookie: wd

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://www.microsoft.com/library/svy/sto/broker.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.microsoft.com/library/svy/sto/broker-config.js?1498846957290

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.microsoft.com/library/svy/sto/broker-config.js?1498845187771

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.microsoft.com/library/svy/sto/broker-config.js?1498844779977

    Method

GET

    Parameter

X-Content-Type-Options

Instances

4

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://www.reddit.com/api/info.json?url=http://vinjabond.com/category/hacks/&jsonp=Filament.SocialStats.parseStats.reddit&_1498862518599=

    Method

GET

    Parameter

initref

    Evidence

set-cookie: initref

URL

https://www.reddit.com/api/info.json?url=http://vinjabond.com/macgyvered-how-to-operate-like-macgyver/&jsonp=Filament.SocialStats.parseStats.reddit&_1498862553713=

    Method

GET

    Parameter

initref

    Evidence

set-cookie: initref

URL

https://www.reddit.com/api/info.json?url=http://vinjabond.com/category/hacks/&jsonp=Filament.SocialStats.parseStats.reddit&_1498862518599=

    Method

GET

    Parameter

session_tracker

    Evidence

set-cookie: session_tracker

URL

https://www.reddit.com/api/info.json?url=http://vinjabond.com/macgyvered-how-to-operate-like-macgyver/&jsonp=Filament.SocialStats.parseStats.reddit&_1498862553713=

    Method

GET

    Parameter

session_tracker

    Evidence

set-cookie: session_tracker

Instances

4

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/sfdc-aem-master/clientlibs_target.min.d3361a6371d57734a92c480aea90a69f.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/sfdc-aem-master/clientlibs_target.min.d3361a6371d57734a92c480aea90a69f.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/sfdc-www/clientlibs_mouseflow.min.c7ed116971b905e9db1529b89b3480d6.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/sfdc-www/clientlibs_mouseflow.min.c7ed116971b905e9db1529b89b3480d6.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//assets.adobedtm.com/7089d7be7dacc457a8233ff9a3a1a83c5d80ff74/satelliteLib-eb844e404d0d734b7f9841b393b34585463d72b4.js

    Evidence

<script src="//assets.adobedtm.com/7089d7be7dacc457a8233ff9a3a1a83c5d80ff74/satelliteLib-eb844e404d0d734b7f9841b393b34585463d72b4.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/foundation/jquery.min.d7c42e4a257b8b9fe38d1c53dd20d01a.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/foundation/jquery.min.d7c42e4a257b8b9fe38d1c53dd20d01a.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/sfdc-www-global/clientlibs_base.min.d41d8cd98f00b204e9800998ecf8427e.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/sfdc-www-global/clientlibs_base.min.d41d8cd98f00b204e9800998ecf8427e.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/sfdc-aem-master/clientlibs_target_at.min.e430b312d683ebeb30c4268dc6bde43f.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/sfdc-aem-master/clientlibs_target_at.min.e430b312d683ebeb30c4268dc6bde43f.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/foundation/personalization/kernel.min.4c82f83ebcf6ed4a6ee4836c155f341d.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/foundation/personalization/kernel.min.4c82f83ebcf6ed4a6ee4836c155f341d.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/sfdc-aem-master/clientlibs_yall.min.ded48a3646073cb853f8f12e703c27ab.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/sfdc-aem-master/clientlibs_yall.min.ded48a3646073cb853f8f12e703c27ab.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/sfdc-www/clientlibs_newrelic.min.7d40a47fc3896687c6fefb3070d0259f.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/sfdc-www/clientlibs_newrelic.min.7d40a47fc3896687c6fefb3070d0259f.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c2.sfdcstatic.com/etc/clientlibs/sfdc-www/clientlibs_base.min.74e47db644861072aab7c9855bb0af3d.js

    Evidence

<script type="text/javascript" src="//c2.sfdcstatic.com/etc/clientlibs/sfdc-www/clientlibs_base.min.74e47db644861072aab7c9855bb0af3d.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/granite/jquery.min.d311399a202bbfe8f6b94a4546a2a025.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/granite/jquery.min.d311399a202bbfe8f6b94a4546a2a025.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/granite/lodash/modern.min.7b2eea6898007731c2ec2232f96726c7.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/granite/lodash/modern.min.7b2eea6898007731c2ec2232f96726c7.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c2.sfdcstatic.com/etc/clientlibs/granite/utils.min.3010ac293e9c3ee5e4d05561c6e817b9.js

    Evidence

<script type="text/javascript" src="//c2.sfdcstatic.com/etc/clientlibs/granite/utils.min.3010ac293e9c3ee5e4d05561c6e817b9.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/sfdc-aem-master/clientlibs_analytics_top.min.37543004a2c6289fe4eb8e359a93966d.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/sfdc-aem-master/clientlibs_analytics_top.min.37543004a2c6289fe4eb8e359a93966d.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/sfdc-aem-master/clientlibs_analytics_bottom.min.ab5942864becc5e24a16ea9de27de634.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/sfdc-aem-master/clientlibs_analytics_bottom.min.ab5942864becc5e24a16ea9de27de634.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/granite/jquery/granite.min.b14676fa47cce8b31155c6be3da9e810.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/granite/jquery/granite.min.b14676fa47cce8b31155c6be3da9e810.js"></script>

URL

https://www.salesforce.com/

    Method

GET

    Parameter

//c1.sfdcstatic.com/etc/clientlibs/foundation/shared.min.382b2b1228aed143f42df767d3f1d3de.js

    Evidence

<script type="text/javascript" src="//c1.sfdcstatic.com/etc/clientlibs/foundation/shared.min.382b2b1228aed143f42df767d3f1d3de.js"></script>

Instances

17

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://www.salesforce.com/

    Method

GET

    Parameter

X-XSS-Protection

URL

https://www.salesforce.com/content/campaigns/en_us/homepage/customer-profile-3/home-jumbotroncomponent/_jcr_content/par.html

    Method

GET

    Parameter

X-XSS-Protection

Instances

2

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://www.salesforce.com/

    Method

GET

    Parameter

Cache-Control

URL

https://www.salesforce.com/libs/granite/csrf/token.json

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.salesforce.com/content/campaigns/en_us/homepage/customer-profile-3/home-jumbotroncomponent/_jcr_content/par.html

    Method

GET

    Parameter

Cache-Control

Instances

3

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://www.salesforce.com/

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.salesforce.com/content/campaigns/en_us/homepage/customer-profile-3/home-jumbotroncomponent/_jcr_content/par.html

    Method

GET

    Parameter

X-Content-Type-Options

Instances

2

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://www.sfdcstatic.com/system/shared/common/assets/fonts/SalesforceSans/SalesforceSans-Regular.woff

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sfdcstatic.com/system/shared/common/assets/fonts/SalesforceSans/SalesforceSans-Light.woff

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sfdcstatic.com/system/shared/common/assets/fonts/SalesforceSans/SalesforceSans-Bold.woff

    Method

GET

    Parameter

X-Content-Type-Options

Instances

3

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://www.sqlservercentral.com/shared/jquery/jquery-migrate-1.4.1.min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Resources/global.js?cache-buster=2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Forums/262686/The-conversion-from-datetime-data-type-to-smalldatetime-data-type-resulted-in-a-smalldatetime-overflow-error

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Forums/skins/classic/styles/fonts/fontawesome-webfont.woff?v=4.2.0

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/js/snow-bs.js?v=2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Resources/js/ssc.js?v=2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Forums/skins/classic/styles/core.css?v=2016-2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Forums/js/framework/compositescripts.min.js?v=2016-2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/shared/jquery/jquery-1.9.1.min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Resources/ExSimpleTalk.css

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/shared/jquery/jquery.hint.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/js/snow-2.8.0.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Resources/Public.css?v=8

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/shared/jquery/jquery-ui-1.12.1-custom.min.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Forums/js/core.js?v=2016-2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/shared/jquery/jquery.corners.js

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Forums/js/prettify/prettify.js?v=2016-2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Forums/globalization/en-us/strings.js?v=2016-2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Forums/skins/classic/styles/theme.css?v=2016-2

    Method

GET

    Parameter

X-Content-Type-Options

URL

https://www.sqlservercentral.com/Forums/WebServices/Topics.asmx/js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

27

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://www.sqlservercentral.com/Resources/ExSimpleTalk.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=1209600

URL

https://www.sqlservercentral.com/Resources/Public.css?v=8

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=1209600

URL

https://www.sqlservercentral.com/Forums/skins/classic/styles/core.css?v=2016-2

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

URL

https://www.sqlservercentral.com/Forums/skins/classic/styles/theme.css?v=2016-2

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=31536000

URL

https://www.sqlservercentral.com/Forums/262686/The-conversion-from-datetime-data-type-to-smalldatetime-data-type-resulted-in-a-smalldatetime-overflow-error

    Method

GET

    Parameter

Cache-Control

    Evidence

private

URL

https://www.sqlservercentral.com/Resources/Signup.css?v=1

    Method

GET

    Parameter

Cache-Control

    Evidence

public, max-age=7200, s-maxage=7200

URL

https://www.sqlservercentral.com/Resources/AutoCompleteDropdown.css

    Method

GET

    Parameter

Cache-Control

    Evidence

max-age=1209600

Instances

7

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://www.sqlservercentral.com/Forums/262686/The-conversion-from-datetime-data-type-to-smalldatetime-data-type-resulted-in-a-smalldatetime-overflow-error

    Method

GET

    Parameter

ssc_IF_ForumsRead8

    Evidence

Set-Cookie: ssc_IF_ForumsRead8

URL

https://www.sqlservercentral.com/Forums/262686/The-conversion-from-datetime-data-type-to-smalldatetime-data-type-resulted-in-a-smalldatetime-overflow-error

    Method

GET

    Parameter

ssc_IF_TopicsRead262686

    Evidence

Set-Cookie: ssc_IF_TopicsRead262686

URL

https://www.sqlservercentral.com/Forums/262686/The-conversion-from-datetime-data-type-to-smalldatetime-data-type-resulted-in-a-smalldatetime-overflow-error

    Method

GET

    Parameter

ssc_IF_LastVisit

    Evidence

Set-Cookie: ssc_IF_LastVisit

URL

https://www.sqlservercentral.com/Forums/262686/The-conversion-from-datetime-data-type-to-smalldatetime-data-type-resulted-in-a-smalldatetime-overflow-error

    Method

GET

    Parameter

ASP.NET_SessionId

    Evidence

Set-Cookie: ASP.NET_SessionId

URL

https://www.sqlservercentral.com/Forums/262686/The-conversion-from-datetime-data-type-to-smalldatetime-data-type-resulted-in-a-smalldatetime-overflow-error

    Method

GET

    Parameter

ssc_IF_CurrentPage

    Evidence

Set-Cookie: ssc_IF_CurrentPage

Instances

5

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)Cookie No HttpOnly Flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL

https://www.sqlservercentral.com/Forums/262686/The-conversion-from-datetime-data-type-to-smalldatetime-data-type-resulted-in-a-smalldatetime-overflow-error

    Method

GET

    Parameter

ssc_IF_LastVisit

    Evidence

Set-Cookie: ssc_IF_LastVisit

URL

https://www.sqlservercentral.com/Forums/262686/The-conversion-from-datetime-data-type-to-smalldatetime-data-type-resulted-in-a-smalldatetime-overflow-error

    Method

GET

    Parameter

ssc_IF_CurrentPage

    Evidence

Set-Cookie: ssc_IF_CurrentPage

Instances

2

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

http://www.owasp.org/index.php/HttpOnly

CWE Id

16

WASC Id

13

Source ID

3

Low (Medium)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL

https://www.sqlservercentral.com/Forums/262686/The-conversion-from-datetime-data-type-to-smalldatetime-data-type-resulted-in-a-smalldatetime-overflow-error

    Method

GET

    Parameter

X-XSS-Protection

Instances

1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Source ID

3

Low (Medium)Cross-Domain JavaScript Source File Inclusion

Description

The page includes one or more script files from a third-party domain.

URL

https://www.tealdit.com/toolbar/v1.js

    Method

GET

    Parameter

//static.addtoany.com/menu/page.js

    Evidence

<script type="text/javascript" src="//static.addtoany.com/menu/page.js"></script>

URL

https://www.tealdit.com/toolbar/v1.js

    Method

GET

    Parameter

https://apis.google.com/js/platform.js

    Evidence

<script src="https://apis.google.com/js/platform.js" async defer></script>

Instances

2

Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id

829

WASC Id

15

Source ID

3

Low (Medium)Cookie Without Secure Flag

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL

https://www.tealdit.com/toolbar/v1.js

    Method

GET

    Parameter

__cfduid

    Evidence

Set-Cookie: __cfduid

Instances

1

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

CWE Id

614

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://www.tealdit.com/toolbar/v1.js

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://www.youtube.com/embed/GPJtXpgwbSU?vq=hd1080

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.youtube.com/embed/dKvKFdpuBr4?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-3&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.youtube.com/embed/vGm9fmN_9Ws?modestbranding=1&color=white&showinfo=0&controls=1&rel=0

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.youtube.com/embed/_dNKSvP8qWY?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-5&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.youtube.com/embed/dKvKFdpuBr4?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-6&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.youtube.com/embed/_dNKSvP8qWY?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-4&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.youtube.com/embed/_dNKSvP8qWY?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-1&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.youtube.com/embed/_dNKSvP8qWY?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2F_dNKSvP8qWY%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-2&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

URL

https://www.youtube.com/youtubei/v1/log_interaction?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8

    Method

POST

    Parameter

Cache-Control

    Evidence

private

URL

https://www.youtube.com/embed/dKvKFdpuBr4?definition=hd&default=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fdefault.jpg&medium=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fmqdefault.jpg&high=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fhqdefault.jpg&standard=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fsddefault.jpg&maxres=https%3A%2F%2Fi.ytimg.com%2Fvi%2FdKvKFdpuBr4%2Fmaxresdefault.jpg&el=preview&cc_load_policy=1&authuser=1&cc3_module=1&wmode=window&override_hl=1&hl=en&enablepostapi=1&postid=drive-viewer-video-player-object-0&origin=https%3A%2F%2Fmail.google.com

    Method

GET

    Parameter

Cache-Control

    Evidence

no-cache

Instances

10

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3

Low (Medium)X-Content-Type-Options Header Missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL

https://xp.apple.com/register?guid=F45C89B50505

    Method

GET

    Parameter

X-Content-Type-Options

Instances

1

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id

16

WASC Id

15

Source ID

3

Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL

https://xp.apple.com/register?guid=F45C89B50505

    Method

GET

    Parameter

Cache-Control

    Evidence

private, max-age=60

Instances

1

Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id

525

WASC Id

13

Source ID

3